DescriptionA flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.
Overall state of this security issue: Pending
This issue is currently rated as having important severity.
|National Vulnerability Database|
|National Vulnerability Database||SUSE|
Status of this issue by product and package
Please note that this evaluation state might be work in progress, incomplete or outdated. Also information for service packs in the LTSS phase is only included for issues meeting the LTSS criteria. If in doubt, feel free to contact us for clarification.
|HPE Helion OpenStack 8||ansible||Affected|
|HPE Helion OpenStack 8||ansible1||Not affected|
|SUSE Openstack Cloud 7||ansible||Affected|
|SUSE Openstack Cloud 8||ansible||Affected|
|SUSE Openstack Cloud 8||ansible1||Not affected|
|SUSE Openstack Cloud 9||ansible1||Not affected|