VDB

CVE-2020-1737

CVE-2020-1737 PUBLISHED

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.

EPSS 0.16% · 36.0th percentile

Risk Scores

EPSS Score
0.16%
36.0th percentile

Affected Products

VendorProductVersions
Ubuntu:Pro:16.04:LTSansible0, 1.9.4-1, 2.0.0.2-2
Ubuntu:Pro:14.04:LTSansible1.1+dfsg-1, *, *
Ubuntu:Pro:18.04:LTSansible*, 0, 2.3.1.0+dfsg-2
Ubuntu:Pro:20.04:LTSansible*, *, 2.9.6+dfsg-1ubuntu0.1~esm3

Timeline

  • Mar 9, 2020 CVE Published
  • Jun 13, 2020 CVE Updated
  • Apr 14, 2021 EPSS Score
  • Jun 23, 2021 EPSS Score
  • Aug 24, 2021 EPSS Score
  • Oct 26, 2021 EPSS Score
  • Jan 6, 2022 EPSS Score
  • Feb 4, 2022 EPSS Score
  • Feb 28, 2022 EPSS Score
  • Apr 1, 2022 EPSS Score
  • May 1, 2022 EPSS Score
  • Jul 3, 2022 EPSS Score
Open in Interactive Console →
$ Console Community · 100/wk Open console ›