CVE-2020-1740

Summary

CVE	CVE-2020-1740
State	PUBLIC
Assigner	[email protected]
Source Priority	CVE Program / NVD first with legacy fallback
Published	2020-03-16 16:15:00 UTC
Updated	2023-11-07 03:19:00 UTC
Description	A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Risk And Classification

Problem Types: CWE-377

NVD Known Affected Configurations (CPE 2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Operating System	Debian	Debian Linux	10.0	All	All	All
Operating System	Debian	Debian Linux	8.0	All	All	All
Operating System	Fedoraproject	Fedora	30	All	All	All
Operating System	Fedoraproject	Fedora	31	All	All	All
Operating System	Fedoraproject	Fedora	32	All	All	All
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Ansible Tower	All	All	All	All
Application	Redhat	Cloudforms Management Engine	5.0	All	All	All
Application	Redhat	Cloudforms Management Engine	5.0	All	All	All
Application	Redhat	Openstack	13	All	All	All
Application	Redhat	Openstack	13.0	All	All	All
Application	Redhat	Openstack	13.0	All	All	All

References

Reference	Source	Link	Tags
[SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] [DLA 2202-1] ansible security update	MLIST	lists.debian.org
[SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
Ansible: Multiple vulnerabilities (GLSA 202006-11) — Gentoo security	GENTOO	security.gentoo.org
1802193 – (CVE-2020-1740) CVE-2020-1740 ansible: secrets readable after ansible-vault edit	CONFIRM	bugzilla.redhat.com	Issue Tracking, Vendor Advisory
[SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
ansible-vault edit race condition · Issue #67798 · ansible/ansible · GitHub	CONFIRM	github.com	Third Party Advisory
Debian -- Security Information -- DSA-4950-1 ansible	DEBIAN	www.debian.org
[SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-Lists	FEDORA	lists.fedoraproject.org
[SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-Lists		lists.fedoraproject.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

No vendor comments have been submitted for this CVE.

Legacy QID Mappings

178744 Debian Security Update for ansible (DSA 4950-1)
356226 Amazon Linux Security Advisory for ansible : ALASANSIBLE2-2023-008
500010 Alpine Linux Security Update for ansible
501350 Alpine Linux Security Update for ansible-base
981359 Python (pip) Security Update for ansible (GHSA-vcg8-98q8-g7mj)