Search for vulnerabilities
Vulnerability details: VCID-9rk9-scdv-jkhg
Vulnerability ID VCID-9rk9-scdv-jkhg
Aliases CVE-2020-10691
GHSA-3c67-gc48-983w
PYSEC-2020-2
Summary An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 5.2 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10691.json
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
epss 0.00098 https://api.first.org/data/v1/epss?cve=CVE-2020-10691
cvssv3.1 5.2 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
cvssv3.1 5.2 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.2 https://github.com/advisories/GHSA-3c67-gc48-983w
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-3c67-gc48-983w
generic_textual MODERATE https://github.com/advisories/GHSA-3c67-gc48-983w
cvssv3.1 5.2 https://github.com/ansible/ansible
generic_textual MODERATE https://github.com/ansible/ansible
cvssv3.1 5.2 https://github.com/ansible/ansible/commit/b2551bb6943eec078066aa3a923e0bb3ed85abe8
generic_textual MODERATE https://github.com/ansible/ansible/commit/b2551bb6943eec078066aa3a923e0bb3ed85abe8
cvssv3.1 5.2 https://github.com/ansible/ansible/pull/68596
generic_textual MODERATE https://github.com/ansible/ansible/pull/68596
cvssv3.1 5.2 https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-2.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-2.yaml
cvssv2 3.6 https://nvd.nist.gov/vuln/detail/CVE-2020-10691
cvssv3.1 5.2 https://nvd.nist.gov/vuln/detail/CVE-2020-10691
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-10691
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10691.json
https://api.first.org/data/v1/epss?cve=CVE-2020-10691
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10691
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-3c67-gc48-983w
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/b2551bb6943eec078066aa3a923e0bb3ed85abe8
https://github.com/ansible/ansible/pull/68596
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-2.yaml
https://nvd.nist.gov/vuln/detail/CVE-2020-10691
1817161 https://bugzilla.redhat.com/show_bug.cgi?id=1817161
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*
RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10691.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://github.com/advisories/GHSA-3c67-gc48-983w
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://github.com/ansible/ansible
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://github.com/ansible/ansible/commit/b2551bb6943eec078066aa3a923e0bb3ed85abe8
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://github.com/ansible/ansible/pull/68596
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-2.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2020-10691
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2020-10691
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.28097
EPSS Score 0.00098
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:08:45.640263+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-2.yaml 37.0.0