CVE-2020-1737
HIGHAnsible < 2.7.17, 2.8.0a1-2.8.9 - Path Traversal via win_unzip Module
Title source: llmDescription
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.
References (6)
Core 6
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1737
Third Party Advisory x_refsource_misc
https://github.com/ansible/ansible/issues/67795
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
Mailing List, Third Party Advisory vendor-advisory
x_refsource_fedora
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/U3IMV3XEIUXL6S4KPLYYM4TVJQ2VNEP2/
Third Party Advisory vendor-advisory
x_refsource_gentoo
https://security.gentoo.org/glsa/202006-11
Scores
CVSS v3
7.5
EPSS
0.0016
EPSS Percentile
35.8%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-22
Status
published
Products (3)
pypi/ansible
2.8.0a1 - 2.8.9PyPI
redhat/ansible_engine
< 2.7.17
redhat/ansible_tower
< 3.3.4
Published
Mar 09, 2020
Tracked Since
Feb 18, 2026