{"containers": {"cna": {"affected": [{"product": "ansible", "vendor": "n/a", "versions": [{"status": "affected", "version": "ansible-engine 2.8.15, ansible-engine 2.9.13"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-347", "description": "CWE-347", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-08-07T14:06:19", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_refsource_DEBIAN"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2020-14365", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "ansible", "version": {"version_data": [{"version_value": "ansible-engine 2.8.15, ansible-engine 2.9.13"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-347"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154", "refsource": "MISC", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"}, {"name": "DSA-4950", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4950"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:46:33.762Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_refsource_DEBIAN", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4950"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2020-14365", "datePublished": "2020-09-23T12:25:47", "dateReserved": "2020-06-17T00:00:00", "dateUpdated": "2024-08-04T12:46:33.762Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "128A8518-1B23-4263-8958-2A3813E70EAD", "versionEndIncluding": "2.8.15", "versionStartIncluding": "2.8.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "2633DB82-E043-4132-9493-B4CBB25FAE82", "versionEndIncluding": "2.9.13", "versionStartIncluding": "2.9.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "matchCriteriaId": "8EA99A5E-25E4-42A8-92D3-017734DA0AA7", "versionEndIncluding": "3.6.5", "versionStartIncluding": "3.6.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*", "matchCriteriaId": "DDE01259-A945-4567-AB95-8DAB087A686A", "versionEndIncluding": "3.7.2", "versionStartIncluding": "3.7.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "B31C575C-06D2-4CAF-A5B7-B9469B3ED55F", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ceph_storage:2.0:*:*:*:*:*:*:*", "matchCriteriaId": "D07DF15E-FE6B-4DAF-99BB-2147CF7D7EEA", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*", "matchCriteriaId": "516F4E8E-ED2F-4282-9DAB-D8B378F61258", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "542B31BD-5767-4B33-9201-40548D1223B3", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "C52600BF-9E87-4CD2-91F3-685AFE478C1E", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Ansible Engine, en ansible-engine versiones 2.8.x anteriores a 2.8.15 y ansible-engine versiones 2.9.x anteriores a 2.9.13, Cuando se instalan paquetes usando el m\u00f3dulo dnf. Unas firmas GPG son ignoradas durante la instalaci\u00f3n incluso cuando disable_gpg_check es establecida en False, que es el comportamiento predeterminado. Este fallo conlleva a que son instalados paquetes maliciosos en el sistema y son ejecutados c\u00f3digos arbitrarios por medio de scripts de instalaci\u00f3n de paquetes. La mayor amenaza de esta vulnerabilidad es la integridad y la disponibilidad del sistema"}], "id": "CVE-2020-14365", "lastModified": "2022-04-05T15:29:36.270", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 6.6, "confidentialityImpact": "NONE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:N/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 9.2, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-09-23T13:15:15.470", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-347"}], "source": "secalert@redhat.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-347"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Bruno Travouillon (Atos) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3600", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7", "package": "ansible-0:2.8.15-1.el7ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3600", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8", "package": "ansible-0:2.8.15-1.el8ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3601", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el7", "package": "ansible-0:2.9.13-1.el7ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3601", "cpe": "cpe:/a:redhat:ansible_engine:2.9::el8", "package": "ansible-0:2.9.13-1.el8ae", "product_name": "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3602", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "package": "ansible-0:2.9.13-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3602", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "package": "ansible-0:2.9.13-1.el8ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2020-09-01T00:00:00Z"}], "bugzilla": {"description": "ansible: dnf module install packages with no GPG signature", "id": "1869154", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1869154"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.3", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:H", "status": "verified"}, "cwe": "CWE-347", "details": ["A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.", "A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability."], "mitigation": {"lang": "en:us", "value": "Red Hat has investigated whether a possible mitigation exists for this issue, and has not been able to identify a practical example. Please update as soon as possible."}, "name": "CVE-2020-14365", "package_state": [{"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Will not fix", "impact": "low", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Will not fix", "impact": "low", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "impact": "low", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2020-08-31T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14365\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14365"], "statement": "Ansible Engine 2.8.14 and 2.9.12 as well as previous versions versions are affected.\nAnsible Tower 3.7.2 and 3.6.5 as well as previous versions are affected for containerized versions and has been fixed indirectly in the 3.6.6 and 3.7.3 releases. For non-containerized Ansible Tower versions, the fix is provided via yum update or yum install.\nRed Hat Gluster Storage(RHGS) 3, Red Hat Ceph Storage (RHCS) 2 and 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. As RHCS 2 and 3 do not use dnf, impact rating is reduced to Low. RHCS still ship ansible separately for Ceph on Ubuntu, but Ubuntu is not impacted by this vulnerability as it uses apt instead of dnf.\nRed Hat OpenStack Platform 10 and 13 ship a vulnerable version of Ansible, however installation of packages is done via yum instead of dnf so this flaw will have no effect.", "threat_severity": "Important", "upstream_fix": "ansible-engine 2.8.15, ansible-engine 2.9.13"}