ansible is vulnerable to world readable file. When the function atomic_move
is invoked for moving files without a mode, it leads to a file creattion with default 0666
permissions if the destination file does not exists, creating world readable files depending on the default umask as well as the permissions on the destination directory.
bugzilla.redhat.com/show_bug.cgi?id=1802124
bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736
github.com/ansible/ansible/issues/67794
lists.fedoraproject.org/archives/list/[email protected]/message/2NYYQP2XJB2TTRP6AKWVMBSPB2DFJNKD/
lists.fedoraproject.org/archives/list/[email protected]/message/BPNZWBAUP4ZHUR6PO7U6ZXEKNCX62KZ7/
security.gentoo.org/glsa/202006-11