You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
CVE-2020-1740 - Medium Severity Vulnerability
Vulnerable Libraries - ansible-2.2.3.0.tar.gz, ansible-2.5.4.tar.gz
ansible-2.2.3.0.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/ba/41/83e024cdf5ca3b53c14261f268da7512ca395b893cab98c0639f9644b6b7/ansible-2.2.3.0.tar.gz
Path to dependency file: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Path to vulnerable library: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s,yugabyte-db/managed/devops/python_requirements.txt
Dependency Hierarchy:
ansible-2.5.4.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/6e/95/490f5e39ee7cc7956eecd070610f0a873b97781c9efdbf6098bad2ed3ee0/ansible-2.5.4.tar.gz
Path to dependency file: yugabyte-db/managed/devops/python3_requirements.txt
Path to vulnerable library: yugabyte-db/managed/devops/python3_requirements.txt,yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Dependency Hierarchy:
Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc
Found in base branch: master
Vulnerability Details
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Publish Date: 2020-03-16
URL: CVE-2020-1740
CVSS 3 Score Details (4.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1740
Release Date: 2020-03-16
Fix Resolution: ansible - 2.7.17,2.8.11,2.9.7
The text was updated successfully, but these errors were encountered: