CVE-2020-1737

NameCVE-2020-1737
DescriptionA flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)buster2.7.7+dfsg-1+deb10u1vulnerable
buster (security)2.7.7+dfsg-1+deb10u2vulnerable
bullseye2.10.7+merged+base+2.10.8+dfsg-1fixed
bookworm7.3.0+dfsg-1fixed
sid7.7.0+dfsg-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)2.9.7+dfsg-1unimportant

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1802154
https://github.com/ansible/ansible/issues/67795
https://github.com/ansible/ansible/pull/67799
Issue in the win_unzip module which is executed only on Windows plattform
Search for package or bug name: Reporting problems