An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
CPE | Name | Operator | Version |
---|---|---|---|
ansible_engine | ge | 2.9.0 | |
ansible_engine | lt | 2.9.7 | |
ansible_tower | eq | 3.0 |