A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
                
            References
                    Configurations
                    Configuration 1 (hide)
| 
 | 
Configuration 2 (hide)
| 
 | 
Configuration 3 (hide)
| 
 | 
History
                    No history.
Information
                Published : 2020-03-24 14:15
Updated : 2024-11-21 04:55
NVD link : CVE-2020-10684
Mitre link : CVE-2020-10684
CVE.ORG link : CVE-2020-10684
JSON object : View
Products Affected
                redhat
- ansible_tower
- openstack
- ansible
fedoraproject
- fedora
debian
- debian_linux
