Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-1740

Опубликовано: 16 мар. 2020
Источник: nvd
CVSS3: 3.9
CVSS3: 4.7
CVSS2: 1.9
EPSS Низкий

Описание

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Версия до 2.7.17 (исключая)
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Версия от 2.8.0 (включая) до 2.8.11 (исключая)
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Версия от 2.9.0 (включая) до 2.9.7 (исключая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия до 3.3.4 (включая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия от 3.3.5 (включая) до 3.4.5 (включая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия от 3.5.0 (включая) до 3.5.5 (включая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия от 3.6.0 (включая) до 3.6.3 (включая)
cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
Конфигурация 2

Одно из

cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

EPSS

Процентиль: 8%
0.00029
Низкий

3.9 Low

CVSS3

4.7 Medium

CVSS3

1.9 Low

CVSS2

Дефекты

CWE-377
CWE-200

Связанные уязвимости

ubuntu логотип

CVE-2020-1740

CVSS3: 3.9
ubuntu
почти 6 лет назад

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

redhat логотип

CVE-2020-1740

CVSS3: 3.9
redhat
почти 6 лет назад

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

debian логотип

CVE-2020-1740

CVSS3: 3.9
debian
почти 6 лет назад

A flaw was found in Ansible Engine when using Ansible Vault for editin ...

github логотип

GHSA-vcg8-98q8-g7mj

CVSS3: 4.7
github
почти 5 лет назад

Exposure of Sensitive Information to an Unauthorized Actor and Insecure Temporary File in Ansible

fstec логотип

BDU:2022-00285

CVSS3: 4.7
fstec
почти 6 лет назад

Уязвимость метода write_data системы управления конфигурациями Ansible, связанная с небезопасными временными файлами, позволяющая нарушителю получить доступ к конфиденциальным данным

EPSS

Процентиль: 8%
0.00029
Низкий

3.9 Low

CVSS3

4.7 Medium

CVSS3

1.9 Low

CVSS2

Дефекты

CWE-377
CWE-200