CVE-2020-1740

Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x through 2.9.x

Description A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the write data method is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.

Recommendations For versions 2.7.x, 2.8.x, and 2.9.x, consider disabling the write data method until a patch is available to prevent insecure file recreation. Restrict access to the temporary files created by Ansible Vault to minimize the risk of exploitation. Avoid using the ansible-vault edit command until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.