CVE-2024-9902
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
Summary
A flaw was found in Ansible. The ansible-core user module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the user module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
0 < 2.14.18rc1 | affected | ||
2.15.0b1 < 2.15.13rc1 | affected | ||
2.16.0b1 < 2.16.13rc1 | affected | ||
2.17.0b1 < 2.17.6rc1 | affected | ||
2.18.0b1 < 2.18.0rc2 | affected | ||
| Red Hat | Ansible Automation Platform Execution Environments | 3.0.1-96 < * | unaffected |
| Red Hat | Ansible Automation Platform Execution Environments | 3.0.1-95 < * | unaffected |
| Red Hat | Ansible Automation Platform Execution Environments | 2.9.27-32 < * | unaffected |
| Red Hat | Ansible Automation Platform Execution Environments | 2.14.13-21 < * | unaffected |
| Red Hat | Ansible Automation Platform Execution Environments | 2.17.6-2 < * | unaffected |
| Red Hat | Red Hat Ansible Automation Platform 2.4 for RHEL 8 | 1:2.15.13-1.el8ap < * | unaffected |
| Red Hat | Red Hat Ansible Automation Platform 2.4 for RHEL 9 | 1:2.15.13-1.el9ap < * | unaffected |
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 8 | 1:2.16.13-1.el8ap < * | unaffected |
| Red Hat | Red Hat Ansible Automation Platform 2.5 for RHEL 9 | 1:2.16.13-1.el9ap < * | unaffected |
| Red Hat | Red Hat OpenStack Platform 17.1 for RHEL 9 | 0:2.14.2-4.6.el9ost < * | unaffected |
Weaknesses
- CWE-863: Incorrect Authorization
Workarounds
In the play that uses the user module with the key generation option, have a prior task ensuring the public key does not exist for example:
- name: avoid user exploit (change name depending on other options used in user task) file: path=/home/{{username}}/.ssh/id_rsa.pub state=absent
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
CVE Program Container
Additional References
References
- https://access.redhat.com/errata/RHSA-2024:10762
- https://access.redhat.com/errata/RHSA-2024:8969
- https://access.redhat.com/errata/RHSA-2024:9894
- https://access.redhat.com/errata/RHSA-2025:1861
- https://access.redhat.com/security/cve/CVE-2024-9902
- https://bugzilla.redhat.com/show_bug.cgi?id=2318271
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.