{"containers": {"cna": {"affected": [{"product": "Ansible", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "2.2.0"}]}], "datePublic": "2016-11-01T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-358", "description": "CWE-358", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2018-08-01T16:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"name": "94108", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/94108"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible-modules-core/pull/5353"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible-modules-core/pull/5357"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible-modules-core/issues/5237"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2016-8614", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible", "version": {"version_data": [{"version_value": "2.2.0"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key."}]}, "impact": {"cvss": [[{"vectorString": "6.3/CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}], [{"vectorString": "6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-358"}]}]}, "references": {"reference_data": [{"name": "94108", "refsource": "BID", "url": "http://www.securityfocus.com/bid/94108"}, {"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"}, {"name": "https://github.com/ansible/ansible-modules-core/pull/5353", "refsource": "CONFIRM", "url": "https://github.com/ansible/ansible-modules-core/pull/5353"}, {"name": "https://github.com/ansible/ansible-modules-core/pull/5357", "refsource": "CONFIRM", "url": "https://github.com/ansible/ansible-modules-core/pull/5357"}, {"name": "https://github.com/ansible/ansible-modules-core/issues/5237", "refsource": "CONFIRM", "url": "https://github.com/ansible/ansible-modules-core/issues/5237"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-06T02:27:41.024Z"}, "title": "CVE Program Container", "references": [{"name": "94108", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/94108"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible-modules-core/pull/5353"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible-modules-core/pull/5357"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible-modules-core/issues/5237"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2016-8614", "datePublished": "2018-07-31T21:00:00", "dateReserved": "2016-10-12T00:00:00", "dateUpdated": "2024-08-06T02:27:41.024Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "595884EA-DBD0-4E8D-A503-C7F6D4E3CCC2", "versionEndExcluding": "2.2.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key."}, {"lang": "es", "value": "Se ha descubierto un problema en versiones anteriores a la 2.2.0 de Ansible. El m\u00f3dulo apt_key no verifica correctamente las huellas de la clave, lo que permite que un adversario remoto cree una clave de OpenPGP que coincide con el ID de clave corto y la inyecte en lugar de la clave correcta."}], "id": "CVE-2016-8614", "lastModified": "2024-11-21T02:59:40.707", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 3.4, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-07-31T21:29:00.210", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94108"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ansible/ansible-modules-core/issues/5237"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/ansible-modules-core/pull/5353"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/ansible-modules-core/pull/5357"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/94108"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ansible/ansible-modules-core/issues/5237"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/ansible-modules-core/pull/5353"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/ansible-modules-core/pull/5357"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-358"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-320"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "ansible: Improper verification of key fingerprints in apt_key module", "id": "1388038", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1388038"}, "csaw": false, "cvss": {"cvss_base_score": "6.8", "cvss_scoring_vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status": "draft"}, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L", "status": "draft"}, "cwe": "CWE-358", "details": ["A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key."], "name": "CVE-2016-8614", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat OpenShift Enterprise 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:qci:1.0::el7", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat Quickstart Cloud Installer 1"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat Storage 3.0"}, {"cpe": "cpe:/a:redhat:rhscon:2", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat Storage Console 2"}], "public_date": "2016-11-01T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2016-8614\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-8614"], "threat_severity": "Moderate", "upstream_fix": "ansible 2.2.0"}