A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.11, and 2.9.7 respectively, when using ansiblefacts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansiblefacts after the clean. An attacker could take advantage of this by altering the ansiblefacts, such as ansiblehosts, users and any other key data which would lead into privilege escalation or code injection.
{ "nvd_published_at": "2020-03-24T14:15:00Z", "cwe_ids": [ "CWE-250", "CWE-362", "CWE-862", "CWE-94" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2021-04-05T14:46:48Z" }