CVE-2020-10684

Summary

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

Affected Software

VendorProductVersion RangeStatus
Red HatAnsibleall Ansible 2.7.x versions prior to 2.7.17affected
Red HatAnsibleall Ansible 2.8.x versions prior to 2.8.9affected
Red HatAnsibleall Ansible 2.9.x versions prior to 2.9.6affected

Weaknesses

  • CWE-94: CWE-94
  • CWE-862: CWE-862
  • CWE-362: CWE-362

ADP Enrichment

CVE Program Container

Additional References

References