CVE-2020-10691

MEDIUM

Ansible-engine <2.9.7 - Path Traversal

Title source: llm
STIX 2.1

Description

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

References (2)

Core 2
Core References
Issue Tracking, Mitigation, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/pull/68596

Scores

CVSS v3 5.2
EPSS 0.0010
EPSS Percentile 26.7%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L

Details

CWE
CWE-22
Status published
Products (3)
pypi/ansible 2.9.0a1 - 2.9.7PyPI
redhat/ansible_engine 2.9.0 - 2.9.7
redhat/ansible_tower 3.0
Published Apr 30, 2020
Tracked Since Feb 18, 2026