CVE-2024-9902
- Source
- https://cve.org/CVERecord?id=CVE-2024-9902
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-9902.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-9902
- Aliases
- Downstream
- Related
- Published
- 2024-11-06T09:56:54.505Z
- Modified
- 2026-05-18T05:58:02.081318618Z
- Severity
-
- 6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L CVSS Calculator
- Summary
- Ansible-core: ansible-core user may read/write unauthorized content
- Details
-
A flaw was found in Ansible. The ansible-core
usermodule can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes theusermodule against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. - Database specific
{ "cwe_ids": [ "CWE-863" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/9xxx/CVE-2024-9902.json", "cna_assigner": "redhat" }- References
-
- https://access.redhat.com/downloads/content/package-browser/
- https://catalog.redhat.com/software/containers/
- https://lists.debian.org/debian-lts-announce/2024/11/msg00021.html
- https://access.redhat.com/errata/RHSA-2024:10762
- https://access.redhat.com/errata/RHSA-2024:8969
- https://access.redhat.com/errata/RHSA-2024:9894
- https://access.redhat.com/errata/RHSA-2025:1861
- https://access.redhat.com/security/cve/CVE-2024-9902
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/9xxx/CVE-2024-9902.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-9902
- https://bugzilla.redhat.com/show_bug.cgi?id=2318271
- https://github.com/ansible/ansible
Affected packages
Git / github.com/ansible/ansible
Affected ranges
- Type
- GIT
- Repo
- https://github.com/ansible/ansible
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixedIntroducedFixedIntroducedFixedIntroducedFixedIntroducedFixed
- Database specific
{ "source": "AFFECTED_FIELD", "extracted_events": [ { "introduced": "0" }, { "fixed": "2.14.18rc1" }, { "introduced": "2.15.0b1" }, { "fixed": "2.15.13rc1" }, { "introduced": "2.16.0b1" }, { "fixed": "2.16.13rc1" }, { "introduced": "2.17.0b1" }, { "fixed": "2.17.6rc1" }, { "introduced": "2.18.0b1" }, { "fixed": "2.18.0rc2" } ] }
Affected versions
0.*
0.0.1
0.01
0.3
0.7
Other
pre-ansible-base
stable-2.*
stable-2.10-branchpoint
stable-2.11-branchpoint
stable-2.9-branchpoint
v1.*
v1.0
v1.1
v1.2
v1.4.0
v1.6.0
v2.*
v2.0.0-0.1.alpha1
v2.0.0-0.2.alpha2
v2.0.0-0.3.beta1
v2.0.0-0.4.beta2
v2.0.0-0.5.beta3
v2.11.0b1
v2.11.0b2
v2.11.0b3
v2.11.0b4
v2.14.0
v2.14.0b1
v2.14.0b2
v2.14.0b3
v2.14.0rc1
v2.14.0rc2
v2.14.1
v2.14.10
v2.14.10rc1
v2.14.11
v2.14.11rc1
v2.14.12
v2.14.12rc1
v2.14.13
v2.14.14
v2.14.14rc1
v2.14.15
v2.14.15rc1
v2.14.16
v2.14.16rc1
v2.14.17
v2.14.17rc1
v2.14.1rc1
v2.14.2
v2.14.2rc1
v2.14.3
v2.14.3rc1
v2.14.4
v2.14.4rc1
v2.14.5
v2.14.5rc1
v2.14.6
v2.14.6rc1
v2.14.7
v2.14.7rc1
v2.14.8
v2.14.8rc1
v2.14.9
v2.14.9rc1
v2.15.0
v2.15.0b1
v2.15.0b2
v2.15.0b3
v2.15.0rc1
v2.15.0rc2
v2.15.1
v2.15.10
v2.15.10rc1
v2.15.11
v2.15.11rc1
v2.15.12
v2.15.12rc1
v2.15.1rc1
v2.15.2
v2.15.2rc1
v2.15.3
v2.15.3rc1
v2.15.4
v2.15.4rc1
v2.15.5
v2.15.5rc1
v2.15.6
v2.15.6rc1
v2.15.7
v2.15.7rc1
v2.15.8
v2.15.9
v2.15.9rc1
v2.16.0
v2.16.0b1
v2.16.0b2
v2.16.0rc1
v2.16.1
v2.16.10
v2.16.10rc1
v2.16.11
v2.16.11rc1
v2.16.12
v2.16.12rc1
v2.16.1rc1
v2.16.2
v2.16.3
v2.16.3rc1
v2.16.4
v2.16.4rc1
v2.16.5
v2.16.5rc1
v2.16.6
v2.16.7
v2.16.7rc1
v2.16.8
v2.16.8rc1
v2.16.9
v2.16.9rc1
v2.17.0
v2.17.0b1
v2.17.0rc1
v2.17.0rc2
v2.17.1
v2.17.1rc1
v2.17.2
v2.17.2rc1
v2.17.2rc2
v2.17.3
v2.17.3rc1
v2.17.4
v2.17.4rc1
v2.17.5
v2.17.5rc1
v2.18.0b1
v2.18.0rc1
v2.6.0a1
v2.7.0.a1
v2.8.0a1