CVE-2024-9902 — Incorrect Authorization in Redhat Ansible

CWE-863 — Incorrect Authorization9 documents8 sources

Severity

6.3MEDIUMNVD

EPSS

0.0%

top 91.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible

Timeline

PublishedNov 6

Latest updateApr 15

Description

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:LExploitability: 0.8 | Impact: 5.5

Affected Packages1 packages

▶Debianredhat/ansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2+3

🔴Vulnerability Details

OSV

CVE-2024-9902: A flaw was found in Ansible↗2024-11-06

▶

OSV

ansible-core Incorrect Authorization vulnerability↗2024-11-06

▶

GHSA

ansible-core Incorrect Authorization vulnerability↗2024-11-06

▶

CVEList

Ansible-core: ansible-core user may read/write unauthorized content↗2024-11-06

▶

📋Vendor Advisories

Oracle

Oracle Oracle Siebel CRM Risk Matrix: Siebel Cloud Manager (Ansible) — CVE-2024-9902↗2025-04-15

▶

Microsoft

Ansible-core: ansible-core user may read/write unauthorized content↗2024-11-12

▶

Red Hat

ansible-core: Ansible-core user may read/write unauthorized content↗2024-11-06

▶

Debian

CVE-2024-9902: ansible - A flaw was found in Ansible. The ansible-core `user` module can allow an unprivi...↗2024

▶