{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/debian10els/vex/2020/cve-2020-10744-els_os-debian10els.json" } ], "title": "Security update on CVE-2020-10744", "tracking": { "current_release_date": "2025-12-23T22:15:38Z", "generator": { "date": "2025-12-23T22:15:38Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2020-10744-ELS_OS-DEBIAN10ELS", "initial_release_date": "2020-05-15T14:15:00Z", "revision_history": [ { "date": "2020-05-15T14:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2025-11-29T10:51:17Z", "number": "2", "summary": "Official Publication" }, { "date": "2025-12-23T22:15:38Z", "number": "3", "summary": "Update document" } ], "status": "final", "version": "2" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian None", "product": { "name": "Debian None", "product_id": "Debian-10", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" }, { "branches": [ { "category": "product_version", "name": "ansible-2.7.7+dfsg-1+deb10u2.all", "product": { "name": "ansible-2.7.7+dfsg-1+deb10u2.all", "product_id": "ansible-2.7.7+dfsg-1+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/ansible@2.7.7%2Bdfsg-1%2Bdeb10u2?arch=all" } } }, { "category": "product_version", "name": "ansible-doc-2.7.7+dfsg-1+deb10u2.all", "product": { "name": "ansible-doc-2.7.7+dfsg-1+deb10u2.all", "product_id": "ansible-doc-2.7.7+dfsg-1+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/ansible-doc@2.7.7%2Bdfsg-1%2Bdeb10u2?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_id": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible@2.7.7%2Bdfsg-1%2Bdeb10u2%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_id": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible-doc@2.7.7%2Bdfsg-1%2Bdeb10u2%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all as a component of Debian None", "product_id": "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all" }, "product_reference": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-2.7.7+dfsg-1+deb10u2.all as a component of Debian None", "product_id": "Debian-10:ansible-2.7.7+dfsg-1+deb10u2.all" }, "product_reference": "ansible-2.7.7+dfsg-1+deb10u2.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all as a component of Debian None", "product_id": "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all" }, "product_reference": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-2.7.7+dfsg-1+deb10u2.all as a component of Debian None", "product_id": "Debian-10:ansible-doc-2.7.7+dfsg-1+deb10u2.all" }, "product_reference": "ansible-doc-2.7.7+dfsg-1+deb10u2.all", "relates_to_product_reference": "Debian-10" } ] }, "vulnerabilities": [ { "cve": "CVE-2020-10744", "cwe": { "id": "CWE-377", "name": "Insecure Temporary File" }, "notes": [ { "category": "description", "text": "An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-2.7.7+dfsg-1+deb10u2.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2020-10744" }, { "category": "external", "summary": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744" } ], "release_date": "2020-05-15T14:15:00Z", "remediations": [ { "category": "no_fix_planned", "details": "Ignored due to low severity", "product_ids": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-2.7.7+dfsg-1+deb10u2.all" ] } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.7, "baseSeverity": "LOW", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:H/Au:N/C:P/I:P/A:P", "version": "2.0" }, "cvss_v3": { "attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L", "version": "3.1" }, "products": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-2.7.7+dfsg-1+deb10u2.all" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }