ALPINE-CVE-2020-1740
Advisory lineage Upstream: 1 Downstream: 0
Upstream
Published: 16 Mar 2020, 16:15
Last modified:19 Nov 2025, 06:17
Vulnerability Summary
Overall Risk (default)
low
19/100 CVSS Score
4.7 MEDIUM
3.1 (osv_alpine)
EPSS Score
No data
KEV
Not listed
Ransomware
No reports
Public exploits
None found
Dark Web
Not detected
Timeline
16 Mar 2020, 16:15
Published
Vulnerability first disclosed
19 Nov 2025, 06:17
Last Modified
Vulnerability information updated
Description
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
CVSS Metrics
- v3.1•MEDIUM•Score: 4.7CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Systems
- alpine•ansible
< 2.8.11-r0 | < 2.9.7-r0 | < 2.9.7-r0 | < 2.7.17-r0
- alpine•ansible-base
< 2.9.7-r0 | < 2.9.7-r0