CVE-2020-10744

CVSS v3.1

5.0

Medium

Vector

AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions Ansible Engine versions prior to 2.9.9 Ansible Tower versions prior to 3.6.4

Description The issue is related to an insecure temporary directory when running become user from the become directive. The provided fix is insufficient to prevent a race condition on systems using ACLs and FUSE filesystems.

Recommendations For Ansible Engine versions prior to 2.9.9, update to a version that includes a complete fix for the issue. For Ansible Tower versions prior to 3.6.4, update to a version that includes a complete fix for the issue. As a temporary workaround, consider restricting the use of the become user directive from the become directive until a complete patch is available.

Fix

Race Condition

Exposure of Resource to Wrong Sphere

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-668CWE-377

Related Identifiers

ALT-PU-2020-2341

ALT-PU-2020-3006

ALT-PU-2021-1800

CVE-2020-10744

GHSA-VP9J-RGHQ-8JHH

PYSEC-2020-208

SUSE-SU-2020:2911-1

SUSE-SU-2020:3309-1

SUSE-SU-2024:1509-1

USN-5315-1

Affected Products

Alt Linux

Ansible-Core

Ansible Engine

Ansible Tower

Linuxmint

Ubuntu

CVE-2020-10744

Weakness Enumeration

Related Identifiers

Affected Products

References · 160