PYSEC-2020-2

See a problem?

Import Source

https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-2.yaml

JSON Data

https://api.osv.dev/v1/vulns/PYSEC-2020-2

Aliases

CVE-2020-10691
GHSA-3c67-gc48-983w

Published

2020-04-30T17:15:00Z

Modified

2023-11-01T04:51:25.466069Z

Summary

[none]

Details

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
https://github.com/ansible/ansible/pull/68596
https://github.com/advisories/GHSA-3c67-gc48-983w

Affected packages

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.0

Fixed

2.9.7

Affected versions

2.*

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6