CVE-2020-1737

Description

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.

How to fix CVE-2020-1737

To remediate CVE-2020-1737, upgrade the affected package to a fixed version below.

• —upgrade to 2.8.9-r0 or later
• —upgrade to 2.9.6-r0 or later
• —upgrade to 2.9.7+dfsg-1 or later
• —upgrade to 2.8.9 or later
• —upgrade to 2.7.17 or later

Is CVE-2020-1737 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 2.8.9-r0
• from 0, < 2.9.6-r0
• from 0, < 2.9.7+dfsg-1
• >= 2.8.0a1, < 2.8.9
• from 0, < 2.7.17, >= 2.8.0, < 2.8.9, >= 2.9.0, < 2.9.6

CVSS scores

References (19)

• ADVISORYgithub.com/advisories/GHSA-893h-35v4-mxqx
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-1737
• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2020-1737
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2020-1737
• PATCH