N/A

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

不安全的临时文件

Ansible 信息泄露漏洞

Ansible是美国Ansible公司的一款计算机系统配置管理器。该产品可用于发布、管理和编排计算机系统。Ansible Engine是其中的一个Ansible引擎。 Ansible Engine 2.7.x、2.8.x和2.9.x版本中存在安全漏洞。攻击者可利用该漏洞读取敏感信息。

N/A

N/A