A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
References
Configurations
Configuration 1 (hide)
|
Configuration 2 (hide)
|
Configuration 3 (hide)
|
History
07 Nov 2023, 03:14
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
Information
Published : 2020-03-24 14:15
Updated : 2024-02-28 17:47
NVD link : CVE-2020-10684
Mitre link : CVE-2020-10684
CVE.ORG link : CVE-2020-10684
JSON object : View
Products Affected
redhat
- ansible_tower
- ansible
- openstack
debian
- debian_linux
fedoraproject
- fedora