PYSEC-2020-207

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-207.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2020-207
Aliases
Published
2020-03-24T14:15:00Z
Modified
2023-11-08T04:01:59.204492Z
Summary
[none]
Details

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansiblefacts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansiblefacts after the clean. An attacker could take advantage of this by altering the ansiblefacts, such as ansiblehosts, users and any other key data which would lead into privilege escalation or code injection.

References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.17
Introduced
2.8.0
Fixed
2.8.9
Introduced
2.9.0
Fixed
2.9.6

Affected versions

2.*

2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5