Description
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
References (8)
Scores
CVSS v3
3.9
EPSS
0.0003
EPSS Percentile
10.1%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-377
CWE-200
Status
published
Products (10)
debian/debian_linux
8.0
debian/debian_linux
10.0
fedoraproject/fedora
30
fedoraproject/fedora
31
fedoraproject/fedora
32
pypi/ansible
0 - 2.7.17PyPI
redhat/ansible
< 2.7.17
redhat/ansible_tower
< 3.3.4
redhat/cloudforms_management_engine
5.0
redhat/openstack
13
Published
Mar 16, 2020
Tracked Since
Feb 18, 2026