CVE-2020-1735
path injection vulnerability in ansible (PyPI)
What is CVE-2020-1735 About?
This vulnerability is a path injection flaw in the Ansible Engine's fetch module, allowing an attacker to intercept the module and inject a new path. This can result in an attacker choosing a new destination path on the controller node, enabling arbitrary file write or overwrite. It's a significant control plane vulnerability that, while moderate in complexity, provides a powerful primitive for compromising the Ansible controller.
Affected Software
- ansible
- >=2.8.0a1, <2.8.12
- >=2.9.0a1, <2.9.8
- >=2.7.0a1, <2.7.18
- <2.7.17
Technical Details
The vulnerability exists in the fetch module of Ansible Engine versions in 2.7.x, 2.8.x, and 2.9.x branches. During the operation of the fetch module, an attacker can intercept the module's execution flow. By doing so, they can inject a new path into the module's parameters. This injected path allows the attacker to specify an arbitrary destination path on the Ansible controller node for files being fetched. This capability can be leveraged to write files to unintended locations, overwrite existing critical files, or potentially place malicious files that could then be executed by the controller, leading to further compromise of the Ansible control plane.
What is the Impact of CVE-2020-1735?
Successful exploitation may allow attackers to write arbitrary files to the Ansible controller node, leading to data corruption, denial of service, or potentially remote code execution.
What is the Exploitability of CVE-2020-1735?
Exploitation of this path injection flaw is likely moderately complex, requiring an attacker to intercept or manipulate the communication related to the fetch module. Authentication as a user capable of interacting with the Ansible control plane and using the fetch module would be required. Privilege requirements would align with those of a user running Ansible playbooks that utilize the fetch module. This is typically a remote exploitation scenario if the attacker can influence or intercept the Ansible execution, targeting the controller. The special condition is the attacker's ability to inject a new path during the fetch operation. Risk factors are heightened in environments where Ansible operations are not adequately secured against manipulation and where untrusted users can initiate fetch operations.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1735?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
- ansible
- >=2.7.0a1, <2.7.18 → Upgrade to 2.7.18
- ansible
- >=2.8.0a1, <2.8.12 → Upgrade to 2.8.12
- ansible
- >=2.9.0a1, <2.9.8 → Upgrade to 2.9.8
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735
- https://security.gentoo.org/glsa/202006-11
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://github.com/ansible/ansible/issues/67793
- https://github.com/ansible/ansible/commit/18f91bbb88a84b1d3614ef41c3550da735592ac1
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
What are Similar Vulnerabilities to CVE-2020-1735?
Similar Vulnerabilities: CVE-2023-28841 , CVE-2022-41903 , CVE-2021-3676 , CVE-2021-34827 , CVE-2020-7212
