CVE-2020-1736: 
Ansible Tower vulnerability analysis and mitigation

A vulnerability (CVE-2020-1736) was discovered in Ansible Engine affecting the atomic_move primitive functionality. The flaw affects all versions in Ansible Engine 2.7.x, 2.8.x, and 2.9.x branches, as well as various versions of Ansible Tower. The vulnerability was discovered by Damien Aumaitre and Nicolas Surbayrole from Quarkslab (Red Hat Bugzilla).

The vulnerability occurs when a file is moved using the atomic_move primitive, as the file mode cannot be specified. When the destination file doesn't exist, it is created with 0666 permissions combined with the current umask. This behavior can result in world-readable files depending on the default umask and the permissions on the destination directory. The vulnerability has been assigned a CVSS v3.1 Base Score of 3.3 (LOW) with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability could lead to the disclosure of sensitive data, as files might be created with overly permissive permissions. If the destination file exists, it could be changed to have less restrictive permissions before the move operation (GitHub Issue).

The issue can be mitigated by specifying the 'mode' parameter on the task. This leaves a race condition where newly created files briefly go from (666 - umask) to the final mode. An alternative workaround for multiple file creation is to set the 'mode' to 'preserve' value, which maintains the permissions of the source file from the controller on the managed host (Red Hat Bugzilla).