{ "threat_severity" : "Moderate", "public_date" : "2020-03-27T00:00:00Z", "bugzilla" : { "description" : "Ansible: archive traversal vulnerability in ansible-galaxy collection install", "id" : "1817161", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1817161" }, "cvss3" : { "cvss3_base_score" : "5.2", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L", "status" : "verified" }, "cwe" : "CWE-22", "details" : [ "An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.", "An archive traversal flaw was found in Ansible Engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system." ], "statement" : "Ansible Engine 2.9.6 as well as previous 2.9.x versions are affected. Ansible versions less than or equal to 2.8 are not affected by this vulnerability as this functionality was introduced on 2.9.\nAnsible Tower 3.6.3 as well as previous 3.6.x versions are affected as they use ansible-galaxy collections.", "acknowledgement" : "Red Hat would like to thank Felix Fountein for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1541", "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el7", "package" : "ansible-0:2.9.7-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1541", "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el8", "package" : "ansible-0:2.9.7-1.el8ae" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1542", "cpe" : "cpe:/a:redhat:ansible_engine:2::el7", "package" : "ansible-0:2.9.7-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1542", "cpe" : "cpe:/a:redhat:ansible_engine:2::el8", "package" : "ansible-0:2.9.7-1.el8ae" }, { "product_name" : "Red Hat Ansible Tower 3.6 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHBA-2020:1540", "cpe" : "cpe:/a:redhat:ansible_tower:3.6::el7", "package" : "ansible-tower-36/ansible-tower:3.6.4-1" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:13" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Not affected", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10691\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10691" ], "name" : "CVE-2020-10691", "mitigation" : { "value" : "A possible mitigation of archive traversal issue could be done by restricting file access control and directory write accesses for extracting tarball files. This is feasible only for scenarios when the destination path could be known and enforced beforehand.", "lang" : "en:us" }, "csaw" : false }