What is CVE-2020-1736?

CVE-2020-1736 is a vulnerability found in Ansible Engine that allows destination files to become world-readable.

How does the vulnerability in CVE-2020-1736 occur?

The vulnerability occurs when a file is moved using the atomic_move primitive without specifying the file mode.

What is the severity of CVE-2020-1736?

CVE-2020-1736 has a severity rating of low (3.3).

Which software versions are affected by CVE-2020-1736?

Versions 2.7.16 to 2.9.13 of Redhat Ansible, versions 3.3.4 to 3.7.2 of Redhat Ansible Tower, Redhat Cloudforms Management Engine 5.0, and Fedoraproject Fedora 31 and 32 are affected.

How can the vulnerability in CVE-2020-1736 be fixed?

To fix the vulnerability, update Ansible Engine to a version that is not affected by the issue.

Vulnerability/
CVE-2020-1736

low

3.3

CWE

732

16/3/2020

9/2/2022

11/9/2024

CVE-2020-1736

First published: Mon Mar 16 2020(Updated: )

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Credit: secalert@redhat.com secalert@redhat.com

Affected Software	Affected Version	How to fix
Redhat Ansible	<=2.7.16
Redhat Ansible	>=2.8.0<2.8.15
Redhat Ansible	>=2.9.0<2.9.13
Redhat Ansible Tower	<=3.3.4
Redhat Ansible Tower	>=3.3.5<=3.4.5
Redhat Ansible Tower	>=3.5.0<=3.5.5
Redhat Ansible Tower	>=3.6.0<=3.6.3
Redhat Ansible Tower	>=3.7.0<=3.7.2
Redhat Cloudforms Management Engine	=5.0
Redhat Openstack	=13
Fedoraproject Fedora	=31
Fedoraproject Fedora	=32
pip/ansible	>=2.7.0<=2.10.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2020-1736?
CVE-2020-1736 is a vulnerability found in Ansible Engine that allows destination files to become world-readable.
How does the vulnerability in CVE-2020-1736 occur?
The vulnerability occurs when a file is moved using the atomic_move primitive without specifying the file mode.
What is the severity of CVE-2020-1736?
CVE-2020-1736 has a severity rating of low (3.3).
Which software versions are affected by CVE-2020-1736?
Versions 2.7.16 to 2.9.13 of Redhat Ansible, versions 3.3.4 to 3.7.2 of Redhat Ansible Tower, Redhat Cloudforms Management Engine 5.0, and Fedoraproject Fedora 31 and 32 are affected.
How can the vulnerability in CVE-2020-1736 be fixed?
To fix the vulnerability, update Ansible Engine to a version that is not affected by the issue.

collector/nvd-index
agent/type
collector/mitre-cve
source/MITRE
agent/weakness
agent/description
agent/first-publish-date
collector/github-advisory-latest
source/GitHub
alias/GHSA-x7jh-595q-wq82
alias/CVE-2020-1736
agent/software-canonical-lookup
agent/severity
agent/last-modified-date
agent/references
agent/author
agent/tags
collector/nvd-cve
source/NVD
agent/softwarecombine
agent/event
collector/github-advisory
vendor/redhat
canonical/redhat ansible
version/redhat ansible/2.7.16
version/redhat ansible/2.8.0
version/redhat ansible/2.9.0
canonical/redhat ansible tower
version/redhat ansible tower/3.3.4
version/redhat ansible tower/3.3.5
version/redhat ansible tower/3.4.5
version/redhat ansible tower/3.5.0
version/redhat ansible tower/3.5.5
version/redhat ansible tower/3.6.0
version/redhat ansible tower/3.6.3
version/redhat ansible tower/3.7.0
version/redhat ansible tower/3.7.2
canonical/redhat cloudforms management engine
version/redhat cloudforms management engine/5.0
canonical/redhat openstack
version/redhat openstack/13
vendor/fedoraproject
canonical/fedoraproject fedora
version/fedoraproject fedora/31
version/fedoraproject fedora/32
package-manager/pip