CVE-2020-10691

2020-03-27T08:13:18
ID RH:CVE-2020-10691
Type redhatcve
Reporter redhat.com
Modified 2021-08-22T13:26:00

Description

An archive traversal flaw was found in Ansible Engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

Mitigation

A possible mitigation of archive traversal issue could be done by restricting file access control and directory write accesses for extracting tarball files. This is feasible only for scenarios when the destination path could be known and enforced beforehand.