QwikSec

Security Database

CVE

CWE

Training

CVE-2020-1736

Published: Mar 16, 2020

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.1

2.2

LOW

Description

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Vendor	Product	Versions
Red Hat	ansible	affected `2.7.x, 2.8.x, 2.9.x`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736

x_refsource_CONFIRM

https://github.com/ansible/ansible/issues/67794

x_refsource_CONFIRM

vendor-advisory

x_refsource_GENTOO

FEDORA-2020-1e6eeadbb4

vendor-advisory

x_refsource_FEDORA

FEDORA-2020-d5e74bf9a0

vendor-advisory

x_refsource_FEDORA

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.