ansible: Multiple vulnerabilities (CVE-2020-1737, CVE-2020-1739)

CVE-2020-1737: Extract-Zip function in win_unzip module does not check extracted path

A flaw was found in the Ansible Engine when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.

Fixed In Version:

ansible 2.7.17, 2.8.9, 2.9.6

References:

• https://github.com/ansible/ansible/issues/67795
• https://github.com/ansible/ansible/pull/67799
• https://nvd.nist.gov/vuln/detail/CVE-2020-1737

CVE-2020-1739: svn module leaks password when specified as a parameter

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

Fixed In Version:

ansible 2.7.17, 2.8.9, 2.9.7

References:

• https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#v297
• https://github.com/ansible/ansible/issues/67797
• https://bugzilla.redhat.com/show_bug.cgi?id=1802178

Affected branches:

• master (e4542eb1)
• 3.11-stable (899a908f)
• 3.10-stable (45791317)
• 3.9-stable (ec2f3b6a)
• 3.8-stable