{"id":"PYSEC-2020-2","details":"An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.","aliases":["CVE-2020-10691","GHSA-3c67-gc48-983w"],"modified":"2023-11-01T04:51:25.466069Z","published":"2020-04-30T17:15:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691"},{"type":"WEB","url":"https://github.com/ansible/ansible/pull/68596"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-3c67-gc48-983w"}],"affected":[{"package":{"name":"ansible","ecosystem":"PyPI","purl":"pkg:pypi/ansible"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.9.0"},{"fixed":"2.9.7"}]}],"versions":["2.9.0","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5","2.9.6"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-2.yaml"}}],"schema_version":"1.7.3"}