PT-2020-6579 · Unknown+5 · Ansible Engine+5

Samdoran

·

Published

2020-03-11

·

Updated

2025-11-21

·

CVE-2020-1733

CVSS v3.1

5.0

Medium

VectorAV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.17 and prior Ansible Engine versions 2.8.9 and prior Ansible Engine versions 2.9.6 and prior
Description The issue is related to a race condition flaw in Ansible Engine when running a playbook with an unprivileged become user. This flaw can be exploited to gain access to confidential data, compromise data integrity, and cause a denial of service. The vulnerability is associated with insecure temporary files created in /var/tmp. An attacker could exploit this by taking control of the become user, as the target directory can be retrieved by iterating '/proc//cmdline'.
Recommendations For Ansible Engine versions 2.7.17 and prior, update to a version that includes the fix for this issue. For Ansible Engine versions 2.8.9 and prior, update to a version that includes the fix for this issue. For Ansible Engine versions 2.9.6 and prior, update to a version that includes the fix for this issue. As a temporary workaround, consider restricting access to the temporary directory in /var/tmp to minimize the risk of exploitation.

Exploit

Fix

Race Condition

Exposure of Resource to Wrong Sphere

Weakness Enumeration

CWE-362CWE-668CWE-377

Related Identifiers

ALT-PU-2020-1453
ALT-PU-2020-1490
ALT-PU-2020-2050
ALT-PU-2020-2069
BDU:2022-00282
CVE-2020-1733
DLA-2202-1
DSA-4950-1
GHSA-G4MQ-6FP5-QWCF
MGASA-2020-0217
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
PYSEC-2020-5
RHSA-2020:1541
RHSA-2020:1542
RHSA-2020:1543
RHSA-2020:1544
SUSE-SU-2020:2911-1
SUSE-SU-2020:3309-1
USN-5315-1

Affected Products

Alt Linux
Ansible-Core
Ansible Engine
Astra Linux
Linuxmint
Ubuntu