ansible is vulnerable to directory traversal attack. The attack is possible because it does not properly normalize and compare paths, allowing an attacker to manipulate the module, inject a new path, and rewrite a new destination path on the controller node.
bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735
github.com/ansible/ansible/commit/2dc20b32f83cd2a2f868c9e1d33b86071c1c66c2
github.com/ansible/ansible/issues/67793
lists.fedoraproject.org/archives/list/[email protected]/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
lists.fedoraproject.org/archives/list/[email protected]/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
lists.fedoraproject.org/archives/list/[email protected]/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
security.gentoo.org/glsa/202006-11
www.debian.org/security/2021/dsa-4950
www.sourceclear.com/vulnerability-database/vulnerabilities/13364