Описание
Path Traversal in Ansible
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-10691
- https://github.com/ansible/ansible/pull/68596
- https://github.com/ansible/ansible/commit/b2551bb6943eec078066aa3a923e0bb3ed85abe8
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
- https://github.com/advisories/GHSA-3c67-gc48-983w
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-2.yaml
Пакеты
ansible
>= 2.9.0a1, < 2.9.7
2.9.7
Связанные уязвимости
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
An archive traversal flaw was found in all ansible-engine versions 2.9 ...
