Open staging-whitesource-for-github-com[bot] opened 3 hours ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
CVE-2020-10744 - Medium Severity Vulnerability
Vulnerable Library - ansible-2.9.9.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/00/5d/e10b83e0e6056dbd5b4809b451a191395175a57e3175ce04e35d9c5fc2a0/ansible-2.9.9.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /requirements.txt
Dependency Hierarchy: - :x: **ansible-2.9.9.tar.gz** (Vulnerable Library)
Found in HEAD commit: 468a9043c4298813feaf94da51c858f22aad8291
Found in base branch: main
Vulnerability Details
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.
Publish Date: 2020-05-15
URL: CVE-2020-10744
CVSS 3 Score Details (5.0)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: High - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10744
Release Date: 2020-05-15
Fix Resolution: 2.9.10
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.