CVE-2020-14365

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-14365
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2020-14365.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2020-14365
Aliases
Downstream
Related
Published
2020-09-23T13:15:15Z
Modified
2025-10-15T11:56:23.932485Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disablegpgcheck is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

References

Affected packages

Git / github.com/ansible/ansible

Affected ranges

Type
GIT
Repo
https://github.com/ansible/ansible
Events
Introduced
2611867fd1dc387ceaa0ffb8ce0f030aafc2a859
Last affected
01d9ef008b90cea57c128728cb56eec0974269f8
Introduced
24325a05dfb9104d6d4ec8b488b89e07c2e6d376
Last affected
acf1a7ba4011fb96027c97df8c3cd8c16c9726ca

Affected versions

v2.*

v2.8.0
v2.8.1
v2.8.10
v2.8.11
v2.8.12
v2.8.13
v2.8.14
v2.8.15
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8
v2.8.9
v2.9.0
v2.9.1
v2.9.10
v2.9.11
v2.9.12
v2.9.13
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v2.9.7
v2.9.8
v2.9.9