Description
A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
References (5)
Core 5
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736
Exploit, Issue Tracking, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/issues/67794
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202006-11
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKD/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPNZWBAUP4ZHUR6PO7U6ZXEKNCX62KZ7/
Scores
CVSS v3
2.2
EPSS
0.0006
EPSS Percentile
18.2%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N
Details
CWE
CWE-732
Status
published
Products (7)
fedoraproject/fedora
31
fedoraproject/fedora
32
pypi/ansible
2.7.0PyPI
redhat/ansible
< 2.7.16
redhat/ansible_tower
< 3.3.4
redhat/cloudforms_management_engine
5.0
redhat/openstack
13
Published
Mar 16, 2020
Tracked Since
Feb 18, 2026