CVE-2020-1737: 
Ansible Tower vulnerability analysis and mitigation

A path traversal vulnerability (CVE-2020-1737) was discovered in Ansible versions 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior. The vulnerability exists in the Extract-Zip function of the win_unzip module, where extracted files are not properly checked if they belong to the destination folder (NVD, CVE).

The vulnerability stems from improper validation in the win_unzip module's Extract-Zip function, which fails to verify if extracted files belong to the intended destination folder. This is classified as a CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) vulnerability. The CVSS v3.1 base score is 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (NVD).

An attacker could exploit this vulnerability by crafting a malicious archive that, when extracted, places files in arbitrary locations in the file system using path traversal techniques. This could potentially lead to unauthorized file system access and manipulation (Red Hat Bugzilla).

The vulnerability was fixed in Ansible 2.10. Users should upgrade to Ansible version 2.7.17, 2.8.11, or 2.9.7 or later depending on their branch. If immediate upgrading is not possible, users should avoid using the affected win_unzip module (Red Hat Bugzilla).

Multiple Linux distributions including Fedora and Gentoo released security advisories and patches to address this vulnerability. Red Hat rated this vulnerability as having an 'Important' security impact (Gentoo Security, Fedora Update).