Bug 1802154 (CVE-2020-1737) - CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not check extracted path
Summary: CVE-2020-1737 ansible: Extract-Zip function in win_unzip module does not chec...
Keywords:
Status: NEW
Alias: CVE-2020-1737
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1804389 1804390 1804391 1804392 1805368 1805369 1805370 1805371 1805505 1808319 1814772 1805328 1805329 1807877
Blocks: 1801714
TreeView+ depends on / blocked
 
Reported: 2020-02-12 13:37 UTC by Borja Tarraso
Modified: 2020-03-27 07:25 UTC (History)
38 users (show)

Fixed In Version: ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Borja Tarraso 2020-02-12 13:37:52 UTC
Extract-Zip function in win_unzip module does not check if the extracted path belongs to the destination folder. This could lead to path traversal on a crafted archive.

Comment 2 Borja Tarraso 2020-02-17 12:56:53 UTC
Acknowledgments:

Name: Damien Aumaitre (Quarkslab), Nicolas Surbayrole (Quarkslab)

Comment 4 Salvatore Bonaccorso 2020-02-19 07:21:43 UTC
Borja, any information on related upstream issue on this one? If possible it would be nice to have this together with the respective bugzilla entry to ease other downstream's triage on the issues.

Comment 5 Borja Tarraso 2020-02-20 16:46:45 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1805329]
Affects: fedora-all [bug 1805328]

Comment 6 Borja Tarraso 2020-02-20 17:02:08 UTC
Hey Salvatore, I am working to provide additional information regarding this issue; more details as you requested, affected versions as well as upstream links in case we already have. Prioritising this for now, I will get back to you asap.

In reply to comment #4:
> Borja, any information on related upstream issue on this one? If possible it
> would be nice to have this together with the respective bugzilla entry to
> ease other downstream's triage on the issues.

Comment 9 Yadnyawalk Tale 2020-02-20 22:44:18 UTC
Red Hat CloudForms Management Engine 5.9 is in maintenance phase and we're no longer fixing "Medium" severity CVEs.

Comment 12 Borja Tarraso 2020-02-26 11:38:25 UTC
Mitigation:

Currently, there is no mitigation for this issue except avoid using the affected win_unzip module when possible.

Comment 13 Borja Tarraso 2020-02-27 10:23:01 UTC
Upstream fix: https://github.com/ansible/ansible/issues/67795

Comment 14 Borja Tarraso 2020-02-27 12:19:31 UTC
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1807877]

Comment 16 Hardik Vyas 2020-03-18 16:17:15 UTC
Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible. But we still ship ansible separately for ceph ubuntu.

Comment 18 Borja Tarraso 2020-03-27 07:25:08 UTC
Statement:

Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.

Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.


Note You need to log in before you can comment on or make changes to this bug.