CVE-2020-1733

MEDIUM

Ansible Engine <2.7.17, <2.8.9, <2.9.6 - Privilege Escalation

Title source: llm
STIX 2.1

Description

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.

References (8)

Core 8
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733
Exploit, Third Party Advisory x_refsource_misc
https://github.com/ansible/ansible/issues/67791
Mailing List, Third Party Advisory mailing-list x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
Third Party Advisory vendor-advisory x_refsource_gentoo
https://security.gentoo.org/glsa/202006-11
Third Party Advisory vendor-advisory x_refsource_debian
https://www.debian.org/security/2021/dsa-4950

Scores

CVSS v3 5.0
EPSS 0.0040
EPSS Percentile 31.5%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

Details

CWE
CWE-362 CWE-377
Status published
Products (10)
debian/debian_linux 8.0
debian/debian_linux 10.0
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
pypi/ansible 0 - 2.7.17PyPI
redhat/ansible < 2.7.16
redhat/ansible_tower < 3.3.4
redhat/cloudforms_management_engine 5.0
redhat/openstack 13
Published Mar 11, 2020
Tracked Since Feb 18, 2026