Vulnerability in Ansible Engine Leading to Potential Privilege Escalation
CVE-2020-10684

7.9HIGH

Key Information:

Vendor: Red Hat
Status: Ansible
Vendor: CVE Published:; 24 March 2020

What is CVE-2020-10684?

A security flaw exists in Ansible Engine where manipulations can be made via the ansible_facts subkey, leading to possible alterations in critical system data. When the inject feature is enabled, an attacker may overwrite essential facts, such as ansible_hosts and user credentials, which can facilitate further exploitation through privilege escalation or code injection. Users should be aware of the versions affected and ensure updates are applied to safeguard against such vulnerabilities.

Affected Version(s)

Ansible all Ansible 2.7.x versions prior to 2.7.17

Ansible all Ansible 2.8.x versions prior to 2.8.9

Ansible all Ansible 2.9.x versions prior to 2.9.6

References

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

https://lists.fedoraproject.org/archives/list/package-ann...

vendor-advisory

CVSS V3.1

Score:

7.9

Severity:

HIGH

Confidentiality:

None

Integrity:

High

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 24, 2020
Vulnerability Reserved
Mar 20, 2020

Red Hat

What is CVE-2020-10684?

Affected Version(s)

References

CVSS V3.1

Timeline