CVE-2020-14365

CWE-3478 documents7 sources

Severity

7.1HIGH

EPSS

0.1%

top 78.46%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible Engine Redhat Ansible Tower Debian Debian Linux +2 more

Timeline

PublishedSep 23

Latest updateApr 20

Description

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:HExploitability: 1.8 | Impact: 5.2

Affected Packages7 packages

▶NVDredhat/ansible_engine2.8.0 — 2.8.15+1

▶PyPIansible2.8.0a1 — 2.8.15+1

▶Debianansible< 2.9.13+dfsg-1+3

▶NVDredhat/ansible_tower3.6.0 — 3.6.5+2

▶CVEListV5ansibleansible-engine 2.8.15, ansible-engine 2.9.13

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

Improper Verification of Cryptographic Signature in ansible↗2021-04-20

▶

GHSA

Improper Verification of Cryptographic Signature in ansible↗2021-04-20

▶

CVEList

CVE-2020-14365: A flaw was found in the Ansible Engine, in ansible-engine 2↗2020-09-23

▶

OSV

CVE-2020-14365: A flaw was found in the Ansible Engine, in ansible-engine 2↗2020-09-23

▶

📋Vendor Advisories

Red Hat

ansible: dnf module install packages with no GPG signature↗2020-08-31

▶

Debian

CVE-2020-14365: ansible - A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 an...↗2020

▶

💬Community

Bugzilla

CVE-2020-14365 ansible: dnf module install packages with no GPG signature↗2020-08-17

▶