CVE-2020-10684

See a problem?
Source
https://nvd.nist.gov/vuln/detail/CVE-2020-10684
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2020-10684.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2020-10684
Aliases
Related
Published
2020-03-24T14:15:12Z
Modified
2024-06-06T12:56:35.583469Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H CVSS Calculator
Summary
[none]
Details

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansiblefacts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansiblefacts after the clean. An attacker could take advantage of this by altering the ansiblefacts, such as ansiblehosts, users and any other key data which would lead into privilege escalation or code injection.

References

Affected packages

Git / github.com/ansible/ansible

Affected ranges

Type
GIT
Repo
https://github.com/ansible/ansible
Events

Affected versions

v2.*

v2.8.0
v2.8.1
v2.8.2
v2.8.3
v2.8.4
v2.8.5
v2.8.6
v2.8.7
v2.8.8