CVE-2020-1737
Path Traversal vulnerability in ansible (PyPI)
What is CVE-2020-1737 About?
This path traversal vulnerability in Ansible's `win_unzip` module (Extract-Zip function) allows an attacker to craft an archive that extracts files outside the destination folder. The module fails to check if extracted files belong to the specified directory. Exploitation is easy by creating a specially crafted zip file.
Affected Software
- ansible
- >=2.9.0a1, <2.9.6
- >=2.8.0a1, <2.8.9
- <2.7.17
Technical Details
The Extract-Zip function within Ansible's win_unzip module (versions 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior) does not properly validate file paths during the extraction process. An attacker can create a ZIP archive containing files with directory traversal sequences (e.g., ../, ..\) in their filenames. When this malicious archive is extracted by the vulnerable module, these sequences are not sanitized, causing files to be written to arbitrary locations outside the intended destination folder on the file system. This allows for arbitrary file write operations.
What is the Impact of CVE-2020-1737?
Successful exploitation may allow attackers to write arbitrary files to any location on the file system, leading to denial of service, privilege escalation, or remote code execution, depending on the file's content and location.
What is the Exploitability of CVE-2020-1737?
Exploitation is of low complexity. An attacker needs to supply a specially crafted ZIP archive to the win_unzip module. Authentication to the Ansible controller and permissions to deploy tasks involving win_unzip on the target Windows system are required. This makes it a remote vulnerability. No special privileges are needed on the target beyond what Ansible typically has for file operations. The risk factor increases if untrusted archives are frequently processed by Ansible playbooks using win_unzip.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-1737?
Available Upgrade Options
- ansible
- <2.7.17 → Upgrade to 2.7.17
- ansible
- >=2.8.0a1, <2.8.9 → Upgrade to 2.8.9
- ansible
- >=2.9.0a1, <2.9.6 → Upgrade to 2.9.6
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/ansible/ansible/issues/67795
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FWDK3QUVBULS3Q3PQTGEKUQYPSNOU5M3
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1737
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1737
- https://security.gentoo.org/glsa/202006-11
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7
- https://github.com/samdoran/ansible/commit/aaf549d7870b8687209a3282841b59207735b676
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/QT27K5ZRGDPCH7GT3DRI3LO4IVDVQUB7/
- https://github.com/ansible/ansible/pull/67799
What are Similar Vulnerabilities to CVE-2020-1737?
Similar Vulnerabilities: CVE-2023-22527 , CVE-2023-22524 , CVE-2023-28263 , CVE-2023-27901 , CVE-2023-33230
