CVE-2020-1740

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2020-1740
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

3.9 /10

CVSS v3 : LOW

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity HIGH

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

1.9 /10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:M/Au:N/C:P/I:N/A:N

Exploitability : 3.4 / Impact : 2.9

Access Vector LOCAL

Access Complexity MEDIUM

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740 Issue Tracking Vendor Advisory
https://github.com/ansible/ansible/issues/67798 Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://security.gentoo.org/glsa/202006-11 Third Party Advisory
https://www.debian.org/security/2021/dsa-4950 Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740 Issue Tracking Vendor Advisory
https://github.com/ansible/ansible/issues/67798 Issue Tracking Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html Mailing List Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://security.gentoo.org/glsa/202006-11 Third Party Advisory
https://www.debian.org/security/2021/dsa-4950 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
History

No history.

Information

Published : 2020-03-16 16:15

Updated : 2024-11-21 05:11

NVD link : CVE-2020-1740

Mitre link : CVE-2020-1740

CVE.ORG link : CVE-2020-1740

JSON object : View

Products Affected

redhat

  • cloudforms_management_engine
  • ansible
  • openstack
  • ansible_tower

debian

  • debian_linux

fedoraproject

  • fedora
CWE
CWE-377

Insecure Temporary File

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor