Vulnerability Details : CVE-2020-1733
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
Products affected by CVE-2020-1733
- cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms_management_engine:5.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2020-1733
0.07%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 31 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2020-1733
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
3.7
|
LOW | AV:L/AC:H/Au:N/C:P/I:P/A:P |
1.9
|
6.4
|
NIST | |
5.0
|
MEDIUM | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L |
0.8
|
3.7
|
Red Hat, Inc. | |
5.0
|
MEDIUM | CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L |
0.8
|
3.7
|
NIST |
CWE ids for CVE-2020-1733
-
The product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.Assigned by: nvd@nist.gov (Primary)
-
Creating and using insecure temporary files can leave application and system data vulnerable to attack.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2020-1733
-
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
[SECURITY] [DLA 2202-1] ansible security updateMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1733
1801735 – (CVE-2020-1733) CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directiveIssue Tracking;Vendor Advisory
-
https://security.gentoo.org/glsa/202006-11
Ansible: Multiple vulnerabilities (GLSA 202006-11) — Gentoo securityThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
[SECURITY] Fedora 31 Update: ansible-2.9.7-1.fc31 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
[SECURITY] Fedora 30 Update: ansible-2.9.7-1.fc30 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
[SECURITY] Fedora 32 Update: ansible-2.9.7-1.fc32 - package-announce - Fedora Mailing-ListsMailing List;Third Party Advisory
-
https://github.com/ansible/ansible/issues/67791
Insecure creation of temporary directory for become_user · Issue #67791 · ansible/ansible · GitHubExploit;Third Party Advisory
Jump to