This flaw refers to the incomplete fix for CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. This vulnerability seems not mitigated fully as there race condition from the original flaw could still happen on systems using ACLs and FUSE filesystems. The 'mkdir -p' is insecure by design.
Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)
Currently, there is no mitigation for this issue.
Created ansible tracking bugs for this issue:
Affects: epel-all [bug 1835854]
Affects: fedora-all [bug 1835855]
Affects: openstack-rdo [bug 1835856]
Borja, has tis incomplete fix already been reported upstream?
In reply to comment #9:
> Borja, has tis incomplete fix already been reported upstream?
Hi Salvatore, it was found internally that it was insufficient fix. I expect someone to open an issue in github for upstream soon.
Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected.
Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.
Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 no longer maintain their own versions of Ansible. The fix will be provided from core Ansible. However, we still ship Ansible separately for Ceph Ubuntu.