CVE-2020-1735: 
Ansible Tower vulnerability analysis and mitigation

A flaw was discovered in the Ansible Engine's fetch module (CVE-2020-1735). The vulnerability allows an attacker to intercept the module, inject a new path, and choose a new destination path on the controller node. This vulnerability affects all versions in Ansible Engine 2.7.x, 2.8.x, and 2.9.x branches, as well as Ansible Tower versions up to 3.4.5, 3.5.5, and 3.6.3 (Red Hat Bug).

The vulnerability exists in the fetch module's handling of source paths. When the fetch module takes the source result from the slurp module, which comes from the remote host, the path validation is insufficient. This allows manipulation of the path to potentially traverse directories, such as creating paths like '/tmp/result_fetch/ansible1/../../../../../../../../../../../../../../../../home//.profile'. The vulnerability has a CVSS v3.1 base score of 4.6 (MEDIUM) with vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows an attacker to place files with controlled contents in arbitrary locations on the controller node through path manipulation. This could potentially lead to security compromises depending on the location where files are placed and their contents (GitHub Issue).

The vulnerability was fixed in Ansible Engine versions 2.7.17, 2.8.11, and 2.9.7. Users are advised to upgrade to these or later versions. Prior to patching, there was no known workaround except avoiding the use of the affected fetch module (Red Hat Bug).

Multiple Linux distributions responded to this vulnerability by releasing security updates, including Fedora, Debian, and Gentoo. Red Hat rated this update as having an 'Important' security impact (Fedora Update, Gentoo Advisory).