Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
{ "nvd_published_at": null, "cwe_ids": [ "CWE-345" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:59:44Z" }