search

LevyForchh / yugabyte-db

The high-performance distributed SQL database for global, internet-scale apps.
https://www.yugabyte.com
Other
0 stars 0 forks source link

CVE-2020-10744 (Medium) detected in ansible-2.2.3.0.tar.gz, ansible-2.5.4.tar.gz #171

Open mend-for-github-com[bot] opened 3 years ago

mend-for-github-com[bot] commented 3 years ago

CVE-2020-10744 - Medium Severity Vulnerability

Vulnerable Libraries - ansible-2.2.3.0.tar.gz, ansible-2.5.4.tar.gz

ansible-2.2.3.0.tar.gz

Radically simple IT automation

Library home page: https://files.pythonhosted.org/packages/ba/41/83e024cdf5ca3b53c14261f268da7512ca395b893cab98c0639f9644b6b7/ansible-2.2.3.0.tar.gz

Path to dependency file: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s

Path to vulnerable library: yugabyte-db/cloud/kubernetes/yb-multiregion-k8s,yugabyte-db/managed/devops/python_requirements.txt

Dependency Hierarchy: - :x: **ansible-2.2.3.0.tar.gz** (Vulnerable Library)

ansible-2.5.4.tar.gz

Radically simple IT automation

Library home page: https://files.pythonhosted.org/packages/6e/95/490f5e39ee7cc7956eecd070610f0a873b97781c9efdbf6098bad2ed3ee0/ansible-2.5.4.tar.gz

Path to dependency file: yugabyte-db/managed/devops/python3_requirements.txt

Path to vulnerable library: yugabyte-db/managed/devops/python3_requirements.txt,yugabyte-db/cloud/kubernetes/yb-multiregion-k8s

Dependency Hierarchy: - :x: **ansible-2.5.4.tar.gz** (Vulnerable Library)

Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc

Found in base branch: master

Vulnerability Details

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.

Publish Date: 2020-05-15

URL: CVE-2020-10744

CVSS 3 Score Details (5.0)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low

For more information on CVSS3 Scores, click here.