CVE-2016-8614 – ansible

Package

Manager: pip
Name: ansible
Vulnerable Version: >=0 <2.2.0.0

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00079 pctl0.24218

Details

Ansible apt_key module does not properly verify key fingerprint A flaw was found in Ansible before version 2.2.0.0. The `apt_key` module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

Metadata

Created: 2018-10-10T17:23:26Z
Modified: 2024-09-03T21:31:19Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-cmwx-9m2h-x7v4/GHSA-cmwx-9m2h-x7v4.json
CWE IDs: ["CWE-358"]
Alternative ID: GHSA-cmwx-9m2h-x7v4
Finding: F096
Auto approve: 1