Vulnerability DatabaseCVE-2020-10684
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2020-10684
March 24, 2020
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
Affected Packages
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.7
Fix Suggestion:
Update to version 2.9.7
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.11
Fix Suggestion:
Update to version 2.8.11
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.7
Fix Suggestion:
Update to version 2.9.7
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.11
Fix Suggestion:
Update to version 2.8.11
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.7
Fix Suggestion:
Update to version 2.9.7
ansible (PYTHON):
Affected version(s) >=2.7.0a1 <2.7.17
Fix Suggestion:
Update to version 2.7.17
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.11
Fix Suggestion:
Update to version 2.8.11
ansible (PYTHON):
Affected version(s) >=2.9.0b1 <2.9.7
Fix Suggestion:
Update to version 2.9.7
ansible (PYTHON):
Affected version(s) >=2.8.0a1 <2.8.11
Fix Suggestion:
Update to version 2.8.11
ansible (PYTHON):
Affected version(s) >=2.7.0a1 <2.7.17
Fix Suggestion:
Update to version 2.7.17
ansible (PYTHON):
Affected version(s) >=2.7.0a1 <2.7.17
Fix Suggestion:
Update to version 2.7.17
Related ResourcesĀ (20)
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml
https://www.debian.org/security/2021/dsa-4950
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
https://security.gentoo.org/glsa/202006-11
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://github.com/advisories/GHSA-p62g-jhg6-v3rq
https://nvd.nist.gov/vuln/detail/CVE-2020-10684
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b
Do you need more information?
Contact Us
CVSS v4
Base Score:
7
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
NONE
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
HIGH
Subsequent System Availability
HIGH
CVSS v3
Base Score:
7.9
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality
NONE
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
3.6
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Execution with Unnecessary Privileges
CWE-250
Missing Authorization
CWE-862
Improper Control of Generation of Code ('Code Injection')
CWE-94
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-362
EPSS
Base Score:
0.02