Candidate: CVE-2020-1740
PublicDate: 2020-03-16 16:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1740
 https://bugzilla.redhat.com/show_bug.cgi?id=1802193
Description:
 A flaw was found in Ansible Engine when using Ansible Vault for editing
 encrypted files. When a user executes "ansible-vault edit", another user on
 the same computer can read the old and new secret, as it is created in a
 temporary file with mkstemp and the returned file descriptor is closed and
 the method write_data is called to write the existing secret in the file.
 This method will delete the file before recreating it insecurely. All
 versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Ubuntu-Description:
Notes:
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N [4.7 MEDIUM]


Patches_ansible:
upstream_ansible: released (2.9.7+dfsg-1, 1.7.2+dfsg-2+deb9u3)
precise/esm_ansible: DNE
trusty_ansible: ignored (out of standard support)
trusty/esm_ansible: needed
xenial_ansible: ignored (end of standard support, was needed)
bionic_ansible: needed
eoan_ansible: ignored (reached end-of-life)
focal_ansible: needed
groovy_ansible: not-affected (2.9.7+dfsg-1)
hirsute_ansible: not-affected (2.9.7+dfsg-1)
impish_ansible: not-affected (2.9.7+dfsg-1)
jammy_ansible: not-affected (2.9.7+dfsg-1)
devel_ansible: not-affected (2.9.7+dfsg-1)