Candidate: CVE-2020-1737
PublicDate: 2020-03-09 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1737
 https://bugzilla.redhat.com/show_bug.cgi?id=1802154
Description:
 A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6
 and prior when using the Extract-Zip function from the win_unzip module as
 the extracted file(s) are not checked if they belong to the destination
 folder. An attacker could take advantage of this flaw by crafting an
 archive anywhere in the file system, using a path traversal. This issue is
 fixed in 2.10.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_ansible:
upstream_ansible: needs-triage
precise/esm_ansible: DNE
trusty_ansible: ignored (out of standard support)
trusty/esm_ansible: needs-triage
xenial_ansible: ignored (end of standard support, was needs-triage)
bionic_ansible: needs-triage
eoan_ansible: ignored (reached end-of-life)
focal_ansible: needs-triage
groovy_ansible: not-affected (2.9.7+dfsg-1)
hirsute_ansible: not-affected (2.9.7+dfsg-1)
impish_ansible: not-affected (2.9.7+dfsg-1)
jammy_ansible: not-affected (2.9.7+dfsg-1)
devel_ansible: not-affected (2.9.7+dfsg-1)