{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/ubuntu16.04els/vex/2020/cve-2020-1740-els_os-ubuntu16_04els.json" } ], "tracking": { "current_release_date": "2026-04-20T13:59:47Z", "generator": { "date": "2026-04-20T13:59:47Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2020-1740-ELS_OS-UBUNTU16.04ELS", "initial_release_date": "2020-03-16T16:15:00Z", "revision_history": [ { "date": "2020-03-16T16:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-04-10T19:43:17Z", "number": "2", "summary": "Official Publication" }, { "date": "2026-04-20T13:59:47Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "3" }, "title": "Security update on CVE-2020-1740" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Ubuntu 16.04", "product": { "name": "Ubuntu 16.04", "product_id": "Ubuntu-16", "product_identification_helper": { "cpe": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*" } } } ], "category": "product_family", "name": "Ubuntu" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "product_identification_helper": { "purl": "pkg:deb/ubuntu/ansible@2.1.1.0-1~ubuntu16.04.1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Canonical Ltd." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els11?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els12?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els2?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els8?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els4?arch=all" } } }, { "category": "product_version", "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "product": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "product_id": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "product_identification_helper": { "purl": "pkg:deb/cloudlinux/ansible@2.1.1.0-1~ubuntu16.04.1%2Btuxcare.els5?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "CloudLinux" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "relates_to_product_reference": "Ubuntu-16" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all as a component of Ubuntu 16.04", "product_id": "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" }, "product_reference": "ansible-0:2.1.1.0-1~ubuntu16.04.1.all", "relates_to_product_reference": "Ubuntu-16" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-1740", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "notes": [ { "category": "description", "text": "A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes \"ansible-vault edit\", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-1740" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740" }, { "category": "external", "summary": "https://github.com/ansible/ansible/issues/67798", "url": "https://github.com/ansible/ansible/issues/67798" }, { "category": "external", "summary": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html", "url": "https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/" }, { "category": "external", "summary": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/" }, { "category": "external", "summary": "https://security.gentoo.org/glsa/202006-11", "url": "https://security.gentoo.org/glsa/202006-11" }, { "category": "external", "summary": "https://www.debian.org/security/2021/dsa-4950", "url": "https://www.debian.org/security/2021/dsa-4950" } ], "release_date": "2020-03-16T16:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Deprioritize this CVE because exploitation is local-only and requires a second user on the same host to capture a transient temporary file precisely while someone is running ansible-vault edit—there is no remote or network attack path and the window of exposure is brief. It impacts confidentiality only (no integrity or availability effect) and does not affect playbook execution or remote nodes. Systems where ansible-vault edit is performed only by trusted administrators on non-shared hosts have negligible practical exposure.", "product_ids": [ "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 1.9, "baseSeverity": "LOW", "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1" }, "products": [ "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els1.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els11.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els12.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els2.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els4.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els5.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1+tuxcare.els8.all", "Ubuntu-16:ansible-0:2.1.1.0-1~ubuntu16.04.1.all" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }