CVE-2020-1736

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2020-1736
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1736.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-1736
Aliases
Downstream
Related
Published
2020-03-16T16:15:13.983Z
Modified
2026-04-10T04:23:48.960031Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
[none]
Details

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

References

Affected packages

Git / github.com/ansible/ansible

Affected ranges

Type
GIT
Repo
https://github.com/ansible/ansible
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
8fd406ee8e3a14be72b3cbbfe91d03fe35952f95
Introduced
2611867fd1dc387ceaa0ffb8ce0f030aafc2a859
Fixed
01d9ef008b90cea57c128728cb56eec0974269f8
Introduced
24325a05dfb9104d6d4ec8b488b89e07c2e6d376
Fixed
acf1a7ba4011fb96027c97df8c3cd8c16c9726ca
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "2.7.16"
        },
        {
            "introduced": "2.8.0"
        },
        {
            "fixed": "2.8.15"
        },
        {
            "introduced": "2.9.0"
        },
        {
            "fixed": "2.9.13"
        }
    ]
}

Affected versions

0.*
0.0.1
0.01
0.3
0.7
v1.*
v1.0
v1.1
v1.2
v1.4.0
v1.6.0
v2.*
v2.0.0-0.1.alpha1
v2.0.0-0.2.alpha2
v2.0.0-0.3.beta1
v2.0.0-0.4.beta2
v2.0.0-0.5.beta3
v2.6.0a1
v2.7.0
v2.7.0.a1
v2.7.0b1
v2.7.0rc1
v2.7.0rc2
v2.7.0rc3
v2.7.0rc4
v2.7.1
v2.7.10
v2.7.11
v2.7.12
v2.7.13
v2.7.14
v2.7.15
v2.7.16
v2.7.2
v2.7.3
v2.7.4
v2.7.5
v2.7.6
v2.7.7
v2.7.8
v2.7.9
v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9

Database specific

unresolved_ranges 
[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "3.3.4"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.3.5"
            },
            {
                "last_affected": "3.4.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.5.0"
            },
            {
                "last_affected": "3.5.5"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.6.0"
            },
            {
                "last_affected": "3.6.3"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "3.7.0"
            },
            {
                "last_affected": "3.7.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "5.0"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "13"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "31"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "32"
            }
        ]
    }
]
source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-1736.json"