{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-10684", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-04T11:06:10.659Z", "dateReserved": "2020-03-20T00:00:00", "datePublished": "2020-03-24T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection."}], "affected": [{"vendor": "Red Hat", "product": "Ansible", "versions": [{"version": "all Ansible 2.7.x versions prior to 2.7.17", "status": "affected"}, {"version": "all Ansible 2.8.x versions prior to 2.8.9", "status": "affected"}, {"version": "all Ansible 2.9.x versions prior to 2.9.6", "status": "affected"}]}], "references": [{"name": "FEDORA-2020-1b6ce91e37", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/"}, {"name": "FEDORA-2020-3990f03ba3", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/"}, {"name": "FEDORA-2020-f80154b5b4", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/"}, {"name": "GLSA-202006-11", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202006-11"}, {"name": "DSA-4950", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-94", "cweId": "CWE-94"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-862", "cweId": "CWE-862"}]}, {"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-362", "cweId": "CWE-362"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T11:06:10.659Z"}, "title": "CVE Program Container", "references": [{"name": "FEDORA-2020-1b6ce91e37", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/"}, {"name": "FEDORA-2020-3990f03ba3", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/"}, {"name": "FEDORA-2020-f80154b5b4", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/"}, {"name": "GLSA-202006-11", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202006-11"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4950"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "588905EA-D600-436A-9AF6-855D0A004DD1", "versionEndExcluding": "2.7.17", "versionStartIncluding": "2.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "E119D1E2-B4E2-430B-A57A-2957DEC491A3", "versionEndExcluding": "2.8.9", "versionStartIncluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "AEDEFE74-C877-42A2-BD8A-1271D5B3C47B", "versionEndExcluding": "2.9.6", "versionStartIncluding": "2.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "matchCriteriaId": "3E029587-6879-453C-92D3-ABED795279D4", "versionEndIncluding": "3.3.5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "matchCriteriaId": "F2062F74-68D8-4E75-BC69-6038B519F823", "versionEndIncluding": "3.5.5", "versionStartIncluding": "3.5.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "matchCriteriaId": "342D4A63-0972-413B-BD65-0495DBF1CDFB", "versionEndIncluding": "3.6.3", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*", "matchCriteriaId": "E722FEF7-58A6-47AD-B1D0-DB0B71B0C7AA", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*", "matchCriteriaId": "704CFA1A-953E-4105-BFBE-406034B83DED", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*", "matchCriteriaId": "36D96259-24BD-44E2-96D9-78CE1D41F956", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection."}, {"lang": "es", "value": "Se descubri\u00f3 un fallo en Ansible Engine, todas las versiones 2.7.x, 2.8.x y versiones 2.9.x anteriores a las versiones 2.7.17, 2.8.9 y 2.9.6 respectivamente, cuando se usa la funci\u00f3n ansible_facts como una subclave de s\u00ed mismo y se promociona hacia una variable cuando la inyecci\u00f3n est\u00e1 habilitada, sobrescribe los ansible_facts despu\u00e9s de la limpieza. Un atacante podr\u00eda tomar ventaja de esto alterando la funci\u00f3n ansible_facts, como ansible_hosts, los usuarios y cualquier otro dato clave que conllevar a una escalada de privilegios o una inyecci\u00f3n de c\u00f3digo."}], "id": "CVE-2020-10684", "lastModified": "2023-11-07T03:14:12.030", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 3.6, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.9, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.5, "impactScore": 5.8, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-03-24T14:15:12.327", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202006-11"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-362"}, {"lang": "en", "value": "CWE-862"}, {"lang": "en", "value": "CWE-94"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Damien Aumaitre (Quarkslab) and Nicolas Surbayrole (Quarkslab) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:1544", "cpe": "cpe:/a:redhat:ansible_engine:2.7::el7", "package": "ansible-0:2.7.17-1.el7ae", "product_name": "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1543", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7", "package": "ansible-0:2.8.11-1.el7ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1543", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8", "package": "ansible-0:2.8.11-1.el8ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1541", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el7", "package": "ansible-0:2.9.7-1.el7ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1541", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el8", "package": "ansible-0:2.9.7-1.el8ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1542", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "package": "ansible-0:2.9.7-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHSA-2020:1542", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "package": "ansible-0:2.9.7-1.el8ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2020-04-22T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-34/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-35/ansible-tower-memcached:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:0547", "cpe": "cpe:/a:redhat:ansible_tower:3.4::el7", "package": "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28", "product_name": "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date": "2020-02-18T00:00:00Z"}, {"advisory": "RHBA-2020:1539", "cpe": "cpe:/a:redhat:ansible_tower:3.5::el7", "package": "ansible-tower-35/ansible-tower:3.5.6-1", "product_name": "Red Hat Ansible Tower 3.5 for RHEL 7", "release_date": "2020-04-22T00:00:00Z"}], "bugzilla": {"description": "Ansible: code injection when using ansible_facts as a subkey", "id": "1815519", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1815519"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.9", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-862", "details": ["A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.", "A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability."], "mitigation": {"lang": "en:us", "value": "Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey."}, "name": "CVE-2020-10684", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2020-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-10684\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10684"], "statement": "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.", "threat_severity": "Important", "upstream_fix": "ansible-engine 2.7.17, ansible-engine 2.8.11, ansible-engine 2.9.7"}