CVE-2020-10691
Public on 2020-04-30
Modified on 2024-02-12
Description
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
Severity
Medium
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Ansible2 Extra | ansible | 2023-08-21 | ALAS2ANSIBLE2-2023-008 | Fixed |
| Amazon Linux 2023 | ansible-core | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 5.2 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L |
| NVD | CVSSv2 | 3.6 | AV:L/AC:L/Au:N/C:N/I:P/A:P |
| NVD | CVSSv3 | 5.2 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L |