GHSA-p62g-jhg6-v3rq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-p62g-jhg6-v3rq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-p62g-jhg6-v3rq/GHSA-p62g-jhg6-v3rq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-p62g-jhg6-v3rq
- Aliases
- Published
- 2021-04-07T20:37:06Z
- Modified
- 2024-09-06T17:55:56.058576Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
- 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible
- Details
-
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansiblefacts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansiblefacts after the clean. An attacker could take advantage of this by altering the ansiblefacts, such as ansiblehosts, users and any other key data which would lead into privilege escalation or code injection.
- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2020-10684
- https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0
- https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb
- https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b
- https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
- https://github.com/advisories/GHSA-p62g-jhg6-v3rq
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
- https://security.gentoo.org/glsa/202006-11
- https://www.debian.org/security/2021/dsa-4950
Affected packages
PyPI / ansible
Package
- Name
- ansible
- View open source insights on deps.dev
- Purl
- pkg:pypi/ansible
PyPI / ansible
Package
- Name
- ansible
- View open source insights on deps.dev
- Purl
- pkg:pypi/ansible
PyPI / ansible
Package
- Name
- ansible
- View open source insights on deps.dev
- Purl
- pkg:pypi/ansible