PYSEC-2020-207
See a problem?- Import Source
- https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-207.yaml
- JSON Data
- https://api.osv.dev/v1/vulns/PYSEC-2020-207
- Aliases
- Published
- 2020-03-24T14:15:00Z
- Modified
- 2023-11-08T04:01:59.204492Z
- Summary
- [none]
- Details
-
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansiblefacts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansiblefacts after the clean. An attacker could take advantage of this by altering the ansiblefacts, such as ansiblehosts, users and any other key data which would lead into privilege escalation or code injection.
- References
-
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
- https://security.gentoo.org/glsa/202006-11
- https://github.com/advisories/GHSA-p62g-jhg6-v3rq
Affected packages
PyPI / ansible
Package
- Name
- ansible
- View open source insights on deps.dev
- Purl
- pkg:pypi/ansible