Home > Vulnerability Database > CVE-2020-1740

Mend.io Vulnerability Database

CVE-2020-1740

Good to know:

Date: March 16, 2020

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Language: Python

Severity Score

3.9

Related Resources (23)

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/

Url: https://nvd.nist.gov/vuln/detail/CVE-2020-1740

Url: https://www.debian.org/security/2021/dsa-4950

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/

Url: https://github.com/advisories/GHSA-vcg8-98q8-g7mj

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB

Url: https://github.com/ansible/ansible/commit/ef32a5bf96a89107986375516285253c1380d7ef

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/

Url: https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html

Url: https://github.com/ansible/ansible/commit/2a563514f070a0a8ba64aebf6bce21194be96c73

Url: https://github.com/ansible/ansible

Url: https://github.com/ansible/ansible/commit/685a4b6d3ff72186d2b4ffce73172a5446a71ccc

Url: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW

Url: https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/

Url: https://github.com/ansible/ansible/issues/67798

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/

Url: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S

Url: https://github.com/ansible/ansible/commit/28f9fbdb5e281976e33f443193047068afb97a9b

Url: https://security.gentoo.org/glsa/202006-11

Url: https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-12.yaml

Url: https://www.mend.io/vulnerability-database/CVE-2020-1740

Severity Score

3.9

Weakness Type (CWE)

Information Leak / Disclosure

CWE-200

Insecure Temporary File

CWE-377

Top Fix

Upgrade Version

Upgrade to version ansible - 2.7.17,2.8.11,2.9.7

Learn More

CVSS v3.1

Base Score:	3.9
Attack Vector (AV):	LOCAL
Attack Complexity (AC):	HIGH
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

CVSS v2

Base Score:	1.9
Access Vector (AV):	LOCAL
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	NONE
Availability (A):	NONE
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2020-1740

Good to know:

Date: March 16, 2020

Language: Python

Severity Score

Related Resources (23)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?