CVE-2020-25635
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.
Predictions
Exploit likelihood
20%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2020-25635
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 0 |
| debian | bullseye | fixed | 0 |
| debian | sid | fixed | 0 |
| debian | forky | fixed | 0 |
| debian | trixie | fixed | 0 |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | ansible | <2.10.1 | 2.10.1 |
References
- https://security-tracker.debian.org/tracker/CVE-2020-25635
- https://nvd.nist.gov/vuln/detail/CVE-2020-25635
- https://github.com/ansible-collections/community.aws/issues/222
- https://github.com/ansible-collections/community.aws/pull/237#issuecomment-1468591094
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-220.yaml
Verify integrity in audit chain (admin only). AS-IS.