CVE-2020-14365

NameCVE-2020-14365
DescriptionA flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDSA-4950-1
NVD severitymedium

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)stretch2.2.1.0-2+deb9u1vulnerable
stretch (security)2.2.1.0-2+deb9u2vulnerable
buster2.7.7+dfsg-1vulnerable
buster (security)2.7.7+dfsg-1+deb10u1fixed
bookworm, sid, bullseye2.10.7+merged+base+2.10.8+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesourcebuster2.7.7+dfsg-1+deb10u1DSA-4950-1
ansiblesource(unstable)2.9.13+dfsg-1unimportant

Notes

https://bugzilla.redhat.com/show_bug.cgi?id=1869154
https://github.com/ansible/ansible/commit/1d043e082b3b1f3ad35c803137f5d3bcbae92275 (v2.9.13)
Negligible security impact on Debian systems

Search for package or bug name: Reporting problems