CVE-2020-25635 — Ansible does not collect garbage after playbook run

Description

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.

How to fix CVE-2020-25635

To remediate CVE-2020-25635, upgrade the affected package to a fixed version below.

—upgrade to 2.10.1 or later
—upgrade to 2.10.1 or later

Is CVE-2020-25635 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.10.1
from 0, < 2.10.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.0	CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

References (7)

ADVISORYgithub.com/advisories/GHSA-f556-49jc-4rvc
ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-25635
PATCHgithub.com/ansible/ansible
WEBbugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635
WEB