CVE-2020-10684

NameCVE-2020-10684
DescriptionA flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitylow

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie1.7.2+dfsg-2fixed
jessie (security)1.7.2+dfsg-2+deb8u3fixed
stretch (security), stretch2.2.1.0-2+deb9u1vulnerable
buster2.7.7+dfsg-1vulnerable
bullseye, sid2.9.9+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)2.9.7+dfsg-1
ansiblesourcejessie(not affected)

Notes

[jessie] - ansible <not-affected> (Vulnerable code introduced later, 'ansible_facts' variable not exposed)
https://bugzilla.redhat.com/show_bug.cgi?id=1815519
https://github.com/ansible/ansible/pull/68431
https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce

Search for package or bug name: Reporting problems