CVE-2020-10684
24.03.2020, 14:15
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
| Vendor | Product | Version |
|---|---|---|
| redhat | ansible | 2.7.0 ≤ 𝑥 < 2.7.17 |
| redhat | ansible | 2.8.0 ≤ 𝑥 < 2.8.9 |
| redhat | ansible | 2.9.0 ≤ 𝑥 < 2.9.6 |
| redhat | ansible_tower | 𝑥 ≤ 3.3.5 |
| redhat | ansible_tower | 3.5.0 ≤ 𝑥 ≤ 3.5.5 |
| redhat | ansible_tower | 3.6.0 ≤ 𝑥 ≤ 3.6.3 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Common Weakness Enumeration
- CWE-94 - Improper Control of Generation of Code ('Code Injection')The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
- CWE-862 - Missing AuthorizationThe software does not perform an authorization check when an actor attempts to access a resource or perform an action.
References