{ "threat_severity" : "Important", "public_date" : "2020-03-23T00:00:00Z", "bugzilla" : { "description" : "Ansible: code injection when using ansible_facts as a subkey", "id" : "1815519", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1815519" }, "cvss3" : { "cvss3_base_score" : "7.9", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-862", "details" : [ "A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.", "A flaw was found in the Ansible Engine. When using ansible_facts as a subkey of itself, and promoting it to a variable when injecting is enabled, overwriting the ansible_facts after the clean, an attacker could take advantage of this by altering the ansible_facts leading to privilege escalation or code injection. The highest threat from this vulnerability are to data integrity and system availability." ], "statement" : "* Ansible Engine 2.7.16, 2.8.10, and 2.9.6 as well as previous versions are affected.\n* Ansible Tower 3.4.5, 3.5.5 and 3.6.3 as well as previous versions are affected.\n* Red Hat Gluster Storage and Red Hat Ceph Storage no longer maintains their own version of Ansible. The fix will be consumed from core Ansible. But we still ship ansible separately for ceph ubuntu.\n* Red Hat OpenStack Platform does package the affected code. However, because RHOSP does not use ansible_facts as a subkey directly, the RHOSP impact has been reduced to Moderate and no update will be provided at this time for the RHOSP ansible package.", "acknowledgement" : "Red Hat would like to thank Damien Aumaitre (Quarkslab) and Nicolas Surbayrole (Quarkslab) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1544", "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7", "package" : "ansible-0:2.7.17-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1543", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7", "package" : "ansible-0:2.8.11-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1543", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8", "package" : "ansible-0:2.8.11-1.el8ae" }, { "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1541", "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el7", "package" : "ansible-0:2.9.7-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.9 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1541", "cpe" : "cpe:/a:redhat:ansible_engine:2.9::el8", "package" : "ansible-0:2.9.7-1.el8ae" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1542", "cpe" : "cpe:/a:redhat:ansible_engine:2::el7", "package" : "ansible-0:2.9.7-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 8", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHSA-2020:1542", "cpe" : "cpe:/a:redhat:ansible_engine:2::el8", "package" : "ansible-0:2.9.7-1.el8ae" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-34/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-35/ansible-tower-memcached:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.4 for RHEL 7", "release_date" : "2020-02-18T00:00:00Z", "advisory" : "RHBA-2020:0547", "cpe" : "cpe:/a:redhat:ansible_tower:3.4::el7", "package" : "ansible-tower-37/ansible-tower-memcached-rhel7:1.4.15-28" }, { "product_name" : "Red Hat Ansible Tower 3.5 for RHEL 7", "release_date" : "2020-04-22T00:00:00Z", "advisory" : "RHBA-2020:1539", "cpe" : "cpe:/a:redhat:ansible_tower:3.5::el7", "package" : "ansible-tower-35/ansible-tower:3.5.6-1" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:3", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "moderate" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-10684\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-10684" ], "name" : "CVE-2020-10684", "mitigation" : { "value" : "Currently, there is not a known mitigation except avoiding the functionality of using ansible_facts as a subkey.", "lang" : "en:us" }, "csaw" : false }