CVE-2020-1733
Summary
| CVE | CVE-2020-1733 |
|---|
| State | PUBLIC |
|---|
| Assigner | [email protected] |
|---|
| Source Priority | CVE Program / NVD first with legacy fallback |
|---|
| Published | 2020-03-11 19:15:00 UTC |
|---|
| Updated | 2023-11-07 03:19:00 UTC |
|---|
| Description | A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'. |
|---|
NVD Known Affected Configurations (CPE 2.3)
References
| Reference | Source | Link | Tags |
|---|
| [SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
Third Party Advisory |
| [SECURITY] [DLA 2202-1] ansible security update |
MLIST |
lists.debian.org |
Third Party Advisory |
| [SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
Third Party Advisory |
| [SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| Ansible: Multiple vulnerabilities (GLSA 202006-11) — Gentoo security |
GENTOO |
security.gentoo.org |
|
| [SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| Debian -- Security Information -- DSA-4950-1 ansible |
DEBIAN |
www.debian.org |
|
| [SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-Lists |
FEDORA |
lists.fedoraproject.org |
Third Party Advisory |
| Insecure creation of temporary directory for become_user · Issue #67791 · ansible/ansible · GitHub |
MISC |
github.com |
Exploit, Third Party Advisory |
| [SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-Lists |
|
lists.fedoraproject.org |
|
| 1801735 – (CVE-2020-1733) CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive |
CONFIRM |
bugzilla.redhat.com |
Issue Tracking, Vendor Advisory |
| CVE Program record |
CVE.ORG |
www.cve.org |
canonical |
| NVD vulnerability detail |
NVD |
nvd.nist.gov |
canonical, analysis |
No vendor comments have been submitted for this CVE.
Legacy QID Mappings
- 178744 Debian Security Update for ansible (DSA 4950-1)
- 356226 Amazon Linux Security Advisory for ansible : ALASANSIBLE2-2023-008
- 500010 Alpine Linux Security Update for ansible
- 501350 Alpine Linux Security Update for ansible-base
- 690148 Free Berkeley Software Distribution (FreeBSD) Security Update for ansible (50ec3a01-ad77-11eb-8528-8c164582fbac)
- 981356 Python (pip) Security Update for ansible (GHSA-g4mq-6fp5-qwcf)
