⚠ Exploited in the wild

Exploitation observed in the wild. Not yet on CISA KEV.

CVE-2020-10684 — Code Injection in Redhat Ansible

CWE-94 — Code Injection CWE-362 — Race Condition CWE-862 — Missing Authorization CWE-250 — Execution with Unnecessary Privileges12 documents8 sources

Severity

7.1HIGHNVD

CNA7.9VulnCheck7.9

EPSS

0.0%

top 93.54%

CISA KEV

Not in KEV

Exploit

Exploited in wild

Active exploitation observed

Affected products

Redhat Ansible Redhat Ansible Tower RED HAT Ansible +3 more

Timeline

PublishedMar 24

Latest updateApr 7

Description

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages6 packages

▶NVDredhat/ansible2.7.0 — 2.7.17+2

▶PyPIredhat/ansible2.7.0a1 — 2.7.17+2

▶Debianredhat/ansible< 2.9.7+dfsg-1+3

▶NVDredhat/ansible_tower3.5.0 — 3.5.5+2

▶CVEListV5red_hat/ansibleall Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.9, all Ansible 2.9.x versions prior to 2.9.6+2

Also affects: Debian Linux 10.0, Fedora 30, 31, 32

🔴Vulnerability Details

GHSA

Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible↗2021-04-07

▶

OSV

Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible↗2021-04-07

▶

CVEList

CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2↗2020-03-24

▶

OSV

CVE-2020-10684: A flaw was found in Ansible Engine, all versions 2↗2020-03-24

▶

VulnCheck

Red Hat ansible Improper Control of Generation of Code ('Code Injection')↗2020

▶

📋Vendor Advisories

Red Hat

Ansible: code injection when using ansible_facts as a subkey↗2020-03-23

▶

Debian

CVE-2020-10684: ansible - A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to...↗2020

▶

💬Community

Bugzilla

CVE-2020-10684 ansible: code injection when using ansible_facts as a subkey [openstack-rdo]↗2020-03-23

▶

Bugzilla

CVE-2020-10684 ansible: code injection when using ansible_facts as a subkey [epel-all]↗2020-03-23

▶

Bugzilla

CVE-2020-10684 ansible: code injection when using ansible_facts as a subkey [fedora-all]↗2020-03-23

▶

Bugzilla

CVE-2020-10684 Ansible: code injection when using ansible_facts as a subkey↗2020-03-20

▶