CVE-2020-10684 – ansible

Package

Manager: pip
Name: ansible
Vulnerable Version: >=2.7.0a1 <2.7.17 || >=2.8.0a1 <2.8.11 || >=2.9.0a1 <2.9.7

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00023 pctl0.04628

Details

Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

Metadata

Created: 2021-04-07T20:37:06Z
Modified: 2024-11-18T16:26:11Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-p62g-jhg6-v3rq/GHSA-p62g-jhg6-v3rq.json
CWE IDs: ["CWE-250", "CWE-362", "CWE-862", "CWE-94"]
Alternative ID: GHSA-p62g-jhg6-v3rq
Finding: F422
Auto approve: 1