CVE-2020-1736
Insufficiently Protected Credentials vulnerability in ansible (PyPI)
What is CVE-2020-1736 About?
Ansible Engine contains a flaw where `atomic_move` operation can set world-readable permissions on destination files or degrade existing permissions, leading to sensitive data exposure. This vulnerability affects Ansible Engine 2.7.x, 2.8.x, and 2.9.x branches. Exploitation is relatively easy if an attacker can trigger file moves. The impact is primarily data disclosure.
Affected Software
Technical Details
A flaw exists in Ansible Engine's atomic_move primitive. When atomic_move is used to move a file, the file mode for the destination cannot be explicitly specified. If the destination file does not exist, the newly created file could be set with world-readable permissions by default. Furthermore, if the destination file already exists but has more restrictive permissions, the atomic_move operation could overwrite it, resulting in the file having less restrictive, potentially world-readable permissions. This permission misconfiguration can lead to the unintended disclosure of sensitive data, as any user with system access might be able to read files that should have been protected.
What is the Impact of CVE-2020-1736?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information or read confidential data.
What is the Exploitability of CVE-2020-1736?
Exploitation complexity is moderate, requiring the ability to execute Ansible playbooks that utilize the atomic_move primitive. No explicit authentication is required to trigger the vulnerability within an executing playbook, but the attacker would need to have control over the Ansible execution. This is typically a local attack or an attack initiated by an authenticated user who can run playbooks. Prerequisites include an affected version of Ansible Engine and the use of the atomic_move operation in a scenario where file permissions are critical. The risk increases if Ansible playbooks handle sensitive data and rely on atomic_move without subsequent explicit permission setting.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1736?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/issues/67794
- https://security.gentoo.org/glsa/202006-11
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPNZWBAUP4ZHUR6PO7U6ZXEKNCX62KZ7/
- https://github.com/ansible/ansible/issues/67794
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BPNZWBAUP4ZHUR6PO7U6ZXEKNCX62KZ7/
- https://security.gentoo.org/glsa/202006-11
- https://github.com/advisories/GHSA-x7jh-595q-wq82
What are Similar Vulnerabilities to CVE-2020-1736?
Similar Vulnerabilities: CVE-2021-36222 , CVE-2021-4034 , CVE-2019-8457 , CVE-2017-7484 , CVE-2016-10707
