x/vulndb: potential Go vuln in github.com/ansible/ansible: CVE-2020-10691

[tatianab]

CVE-2020-10691 references github.com/ansible/ansible, which may be a Go module.

Description:
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2020-10691
• web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
• fix: ansible-galaxy - Fix tar path traversal issue during install - CVE-2020-10691 ansible/ansible#68596
• Imported by: https://pkg.go.dev/github.com/ansible/ansible?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ansible/ansible
      vulnerable_at: 2.15.5+incompatible
      packages:
        - package: Ansible
cves:
    - CVE-2020-10691
references:
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691
    - fix: https://github.com/ansible/ansible/pull/68596

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports