CVE-2020-1735

CVSS v3.1

4.6

Medium

Vector

AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x through 2.9.x

Description A flaw was found in the Ansible Engine when the fetch module is used, allowing an attacker to intercept the module, inject a new path, and choose a new destination path on the controller node. The vulnerability is related to insufficient path name restrictions in the fetch module, which could allow an attacker to access and compromise confidential data.

Recommendations For versions 2.7.x, 2.8.x, and 2.9.x, consider disabling the fetch module until a patch is available to prevent exploitation. Restrict access to the controller node to minimize the risk of an attacker choosing a new destination path. Avoid using the fetch module in sensitive environments until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

Path traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22

Related Identifiers

ALT-PU-2020-2050

ALT-PU-2020-2069

BDU:2022-00283

CVE-2020-1735

DSA-4950-1

GHSA-GFR2-QPXH-QJ9M

MGASA-2020-0217

OESA-2021-1349

OESA-2022-1950

OPENSUSE-SU-2022:0081-1

OPENSUSE-SU-2024:10615-1

OPENSUSE-SU-2024:14244-1

OPENSUSE-SU-2024:14536-1

OPENSUSE-SU-2025:15605-1

OPENSUSE-SU-2025:15753-1

OPENSUSE-SU-2026:10944-1

PYSEC-2020-7

RHSA-2020:1541

RHSA-2020:1542

RHSA-2020:1543

RHSA-2020:1544

SUSE-SU-2020:3309-1

Affected Products

Alt Linux

Ansible-Core

Ansible Engine

Astra Linux

CVE-2020-1735

Weakness Enumeration

Related Identifiers

Affected Products

References · 200