{"containers": {"cna": {"affected": [{"product": "Community Collections", "vendor": "AWS Community", "versions": [{"status": "affected", "version": " from 1.0.0 to 1.2.0"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-552", "description": "CWE-552", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-377", "description": "CWE-377", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-10-05T12:51:02", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636"}, {"tags": ["x_refsource_MISC"], "url": "https://github.com/ansible-collections/community.aws/issues/221"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-25636", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Community Collections", "version": {"version_data": [{"version_value": " from 1.0.0 to 1.2.0"}]}}]}, "vendor_name": "AWS Community"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability."}]}, "impact": {"cvss": [[{"vectorString": "6.6/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-552"}]}, {"description": [{"lang": "eng", "value": "CWE-377"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636"}, {"name": "https://github.com/ansible-collections/community.aws/issues/221", "refsource": "MISC", "url": "https://github.com/ansible-collections/community.aws/issues/221"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T15:40:36.243Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/ansible-collections/community.aws/issues/221"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-25636", "datePublished": "2020-10-05T12:51:02", "dateReserved": "2020-09-16T00:00:00", "dateUpdated": "2024-08-04T15:40:36.243Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:2.10.1:rc2:*:*:*:*:*:*", "matchCriteriaId": "9C88089F-2A0A-4D2E-915B-C58D7402821C", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Ansible Base cuando se usa el plugin de conexi\u00f3n aws_ssm, ya que no posee una separaci\u00f3n de espacios de nombres para las transferencias de archivos. Los archivos se escriben directamente en el bucket root, haciendo posible tener colisiones cuando se ejecutan m\u00faltiples procesos de ansible. Este problema afecta principalmente a la disponibilidad del servicio"}], "id": "CVE-2020-25636", "lastModified": "2023-11-07T03:20:17.893", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.2, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-10-05T13:15:13.490", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible-collections/community.aws/issues/221"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-552"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-377"}, {"lang": "en", "value": "CWE-552"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Abel Luck (The Guardian Project) for reporting this issue.", "bugzilla": {"description": "Collections: aws_ssm connection plugin should namespace its file transfers", "id": "1880274", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1880274"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.6", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H", "status": "draft"}, "cwe": "CWE-552->CWE-377", "details": ["A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability.", "A flaw was found in Ansible Base when using the aws_ssm connection plugin, as there is not a namespace separation for file transfers. Files are written directly to the root bucket, making it possible to have collisions when running multiple Ansible processes. The highest threat from this vulnerability is to integrity and system availability."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2020-25636", "public_date": "2020-09-04T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-25636\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-25636\nhttps://github.com/ansible-collections/community.aws/issues/221"], "statement": "Ansible collection aws_ssm connection community plugin 1.2.1 and previous versions until 1.0.0 when it was introduced to this plugin are affected versions by this flaw.", "threat_severity": "Moderate", "upstream_fix": "aws_ssm 1.3.0"}