Vulnerability in Ansible Engine Leading to Potential Privilege Escalation
CVE-2020-10684

7.9HIGH

Key Information:

Vendor

Red Hat
Status
Ansible
Vendor
CVE Published:
24 March 2020

What is CVE-2020-10684?

A security flaw exists in Ansible Engine where manipulations can be made via the ansible_facts subkey, leading to possible alterations in critical system data. When the inject feature is enabled, an attacker may overwrite essential facts, such as ansible_hosts and user credentials, which can facilitate further exploitation through privilege escalation or code injection. Users should be aware of the versions affected and ensure updates are applied to safeguard against such vulnerabilities.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ansible all Ansible 2.7.x versions prior to 2.7.17

Ansible all Ansible 2.8.x versions prior to 2.8.9

Ansible all Ansible 2.9.x versions prior to 2.9.6

References

https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory
https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisory

CVSS V3.1

Score:
7.9
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.