Miggo Logo
Miggo Vulnerability Database
CVE-2020-1736

CVE-2020-1736:
Incorrect Permission Assignment for Critical Resource in Ansible

3.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-1736
GHSA ID
GHSA-x7jh-595q-wq82
EPSS Score
0.10471%
CWE
CWE-732
Published
2/9/2022
Updated
11/18/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 2.7.0, <= 2.10.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from atomic_move's file creation logic in basic.py. The code explicitly uses DEFAULT_PERM (0o0666) masked by the umask when creating new files, which could leave files world-readable depending on the environment's umask configuration. The GitHub issue (#67794) directly references this code path, and the CVE description matches this behavior. The lack of a mechanism to specify custom file modes in atomic_move operations is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in *nsi*l* *n*in* w**n * *il* is mov** usin* *tomi*_mov* primitiv* *s t** *il* mo** **nnot ** sp**i*i**. T*is s*ts t** **stin*tion *il*s worl*-r*****l* i* t** **stin*tion *il* *o*s not *xist *n* i* t** *il* *xists, t** *il* *oul* **

Reasoning

T** vuln*r**ility st*ms *rom *tomi*_mov*'s *il* *r**tion lo*i* in **si*.py. T** *o** *xpli*itly us*s ****ULT_P*RM (*o****) m*sk** *y t** um*sk w**n *r**tin* n*w *il*s, w*i** *oul* l**v* *il*s worl*-r*****l* **p*n*in* on t** *nvironm*nt's um*sk *on*i*