CVE-2020-1737: Path Traversal

March 9, 2020 (updated June 13, 2020)

A flaw was found in Ansible when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1737
nvd.nist.gov/vuln/detail/CVE-2020-1737

Code Behaviors & Features

Detect and mitigate CVE-2020-1737 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →