—

PYSEC-2020-2

Details

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 2.9.0 Fixed in: 2.9.7

Fix pip install --upgrade 'ansible>=2.9.7'

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691 [REPORT]
https://github.com/ansible/ansible/pull/68596 [WEB]
https://github.com/advisories/GHSA-3c67-gc48-983w [ADVISORY]