CVE-2020-1737

CVSS v4.0

8.5

High

Vector

AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Ansible versions 2.7.17 and prior Ansible versions 2.8.9 and prior Ansible versions 2.9.6 and prior

Description A flaw was found in Ansible when using the Extract-Zip function from the win unzip module. The extracted file(s) are not checked if they belong to the destination folder, allowing an attacker to craft an archive anywhere in the file system using a path traversal. This issue may impact the confidentiality, integrity, and availability of protected information.

Recommendations For Ansible versions 2.7.17 and prior, update to version 2.10 or later. For Ansible versions 2.8.9 and prior, update to version 2.10 or later. For Ansible versions 2.9.6 and prior, update to version 2.10 or later. As a temporary workaround, consider restricting the use of the win unzip module until a patch is available.

Fix

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2020-1453

ALT-PU-2020-1490

ALT-PU-2020-2050

ALT-PU-2020-2069

BDU:2020-05681

CVE-2020-1737

GHSA-893H-35V4-MXQX

MGASA-2020-0217

OESA-2021-1349

OESA-2022-1950

OPENSUSE-SU-2022:0081-1

OPENSUSE-SU-2024:10615-1

OPENSUSE-SU-2024:14244-1

OPENSUSE-SU-2024:14536-1

OPENSUSE-SU-2025:15605-1

OPENSUSE-SU-2025:15753-1

PYSEC-2020-9

RHSA-2020:1541

RHSA-2020:1542

RHSA-2020:1543

RHSA-2020:1544

SUSE-SU-2020:3309-1

Affected Products

Alt Linux

Ansible

Astra Linux

CVE-2020-1737

Weakness Enumeration

Related Identifiers

Affected Products

References · 192