Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2020-10744

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

Published

2020-05-15T14:15:11.700

Last Modified

2024-11-21T04:55:58.763

Status

Modified

Source

[email protected]

Severity

CVSSv3.1: 5.0 (MEDIUM)

CVSSv2 Vector

AV:L/AC:H/Au:N/C:P/I:P/A:P

Access Vector: LOCAL
Access Complexity: HIGH
Authentication: NONE
Confidentiality Impact: PARTIAL
Integrity Impact: PARTIAL
Availability Impact: PARTIAL

Exploitability Score

1.9

Impact Score

6.4

Weaknesses

Type: Secondary
CWE-377
Type: Primary
CWE-362

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Application	redhat	ansible	≤ 2.7.18	Yes
Application	redhat	ansible	≤ 2.8.12	Yes
Application	redhat	ansible	≤ 2.9.9	Yes
Application	redhat	ansible_tower	≤ 3.4.5	Yes
Application	redhat	ansible_tower	≤ 3.5.6	Yes
Application	redhat	ansible_tower	≤ 3.6.4	Yes

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744 Issue Tracking, Vendor Advisory ([email protected])
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744 Issue Tracking, Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)