—

PYSEC-2020-7

Details

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 0 Fixed in: 2.7.17

Fix pip install --upgrade 'ansible>=2.7.17'

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735 [REPORT]
https://github.com/ansible/ansible/issues/67793 [REPORT]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/ [WEB]
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/ [WEB]
https://security.gentoo.org/glsa/202006-11 [ADVISORY]
https://github.com/advisories/GHSA-gfr2-qpxh-qj9m [ADVISORY]