Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2020-10684

Опубликовано: 24 мар. 2020
Источник: nvd
CVSS3: 7.9
CVSS3: 7.1
CVSS2: 3.6
EPSS Низкий

Описание

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Версия от 2.7.0 (включая) до 2.7.17 (исключая)
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Версия от 2.8.0 (включая) до 2.8.9 (исключая)
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Версия от 2.9.0 (включая) до 2.9.6 (исключая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия до 3.3.5 (включая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия от 3.5.0 (включая) до 3.5.5 (включая)
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
Версия от 3.6.0 (включая) до 3.6.3 (включая)
cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Конфигурация 3

Одно из

cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*

EPSS

Процентиль: 6%
0.00024
Низкий

7.9 High

CVSS3

7.1 High

CVSS3

3.6 Low

CVSS2

Дефекты

CWE-94
CWE-862

Связанные уязвимости

ubuntu логотип

CVE-2020-10684

CVSS3: 7.9
ubuntu
почти 6 лет назад

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

redhat логотип

CVE-2020-10684

CVSS3: 7.9
redhat
почти 6 лет назад

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

debian логотип

CVE-2020-10684

CVSS3: 7.9
debian
почти 6 лет назад

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9. ...

github логотип

GHSA-p62g-jhg6-v3rq

CVSS3: 7.1
github
почти 5 лет назад

Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible

fstec логотип

BDU:2020-05829

fstec
почти 6 лет назад

Уязвимость системы управления конфигурациями Ansible, связанная с ошибками синхронизации при использовании общего ресурса, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код

EPSS

Процентиль: 6%
0.00024
Низкий

7.9 High

CVSS3

7.1 High

CVSS3

3.6 Low

CVSS2

Дефекты

CWE-94
CWE-862