Vulnerabilities > CVE-2020-10684 - Missing Authorization vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
HIGH Summary
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2020-F80154B5B4.NASL description Update to upstream bugfix and security update 2.9.7. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELO G-v2.9.rst for a detailed list of changes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-06 modified 2020-04-27 plugin id 136002 published 2020-04-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136002 title Fedora 31 : ansible (2020-f80154b5b4) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2020-f80154b5b4. # include("compat.inc"); if (description) { script_id(136002); script_version("1.7"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/05"); script_cve_id("CVE-2020-10684", "CVE-2020-10685", "CVE-2020-10691", "CVE-2020-1733", "CVE-2020-1735", "CVE-2020-1740", "CVE-2020-1746", "CVE-2020-1753"); script_xref(name:"FEDORA", value:"2020-f80154b5b4"); script_xref(name:"IAVB", value:"2019-B-0092"); script_name(english:"Fedora 31 : ansible (2020-f80154b5b4)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "Update to upstream bugfix and security update 2.9.7. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELO G-v2.9.rst for a detailed list of changes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2020-f80154b5b4" ); # https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?36c0680c" ); script_set_attribute( attribute:"solution", value:"Update the affected ansible package." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:H/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1733"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:ansible"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:31"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/03/11"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_set_attribute(attribute:"stig_severity", value:"II"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^31([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 31", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC31", reference:"ansible-2.9.7-1.fc31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_NOTE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "ansible"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1541.NASL description The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1541 advisory. - Ansible: code injection when using ansible_facts as a subkey (CVE-2020-10684) - Ansible: modules which use files encrypted with vault are not properly cleaned up (CVE-2020-10685) - Ansible: archive traversal vulnerability in ansible- galaxy collection install (CVE-2020-10691) - ansible: insecure temporary directory when running become_user from become directive (CVE-2020-1733) - ansible: path injection on dest parameter in fetch module (CVE-2020-1735) - ansible: Extract-Zip function in win_unzip module does not check extracted path (CVE-2020-1737) - ansible: svn module leaks password when specified as a parameter (CVE-2020-1739) - ansible: secrets readable after ansible-vault edit (CVE-2020-1740) - ansible: Information disclosure issue in ldap_attr and ldap_entry modules (CVE-2020-1746) - Ansible: kubectl connection plugin leaks sensitive information (CVE-2020-1753) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-04-22 plugin id 135911 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135911 title RHEL 7 / 8 : Ansible security and bug fix update (2.9.7) (Important) (RHSA-2020:1541) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-2_0-0226_ANSIBLE.NASL description An update of the ansible package has been released. last seen 2020-06-05 modified 2020-04-10 plugin id 135298 published 2020-04-10 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135298 title Photon OS 2.0: Ansible PHSA-2020-2.0-0226 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1542.NASL description The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1542 advisory. - Ansible: code injection when using ansible_facts as a subkey (CVE-2020-10684) - Ansible: modules which use files encrypted with vault are not properly cleaned up (CVE-2020-10685) - Ansible: archive traversal vulnerability in ansible- galaxy collection install (CVE-2020-10691) - ansible: insecure temporary directory when running become_user from become directive (CVE-2020-1733) - ansible: path injection on dest parameter in fetch module (CVE-2020-1735) - ansible: Extract-Zip function in win_unzip module does not check extracted path (CVE-2020-1737) - ansible: svn module leaks password when specified as a parameter (CVE-2020-1739) - ansible: secrets readable after ansible-vault edit (CVE-2020-1740) - ansible: Information disclosure issue in ldap_attr and ldap_entry modules (CVE-2020-1746) - Ansible: kubectl connection plugin leaks sensitive information (CVE-2020-1753) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-04-22 plugin id 135914 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135914 title RHEL 7 / 8 : Ansible security and bug fix update (2.9.7) (Important) (RHSA-2020:1542) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1543.NASL description The remote Redhat Enterprise Linux 7 / 8 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1543 advisory. - Ansible: code injection when using ansible_facts as a subkey (CVE-2020-10684) - Ansible: modules which use files encrypted with vault are not properly cleaned up (CVE-2020-10685) - ansible: insecure temporary directory when running become_user from become directive (CVE-2020-1733) - ansible: path injection on dest parameter in fetch module (CVE-2020-1735) - ansible: Extract-Zip function in win_unzip module does not check extracted path (CVE-2020-1737) - ansible: svn module leaks password when specified as a parameter (CVE-2020-1739) - ansible: secrets readable after ansible-vault edit (CVE-2020-1740) - ansible: Information disclosure issue in ldap_attr and ldap_entry modules (CVE-2020-1746) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-04-22 plugin id 135915 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135915 title RHEL 7 / 8 : Ansible security and bug fix update (2.8.11) (Important) (RHSA-2020:1543) NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2020-3_0-0078_ANSIBLE.NASL description An update of the ansible package has been released. last seen 2020-06-05 modified 2020-04-21 plugin id 135779 published 2020-04-21 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135779 title Photon OS 3.0: Ansible PHSA-2020-3.0-0078 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2020-1544.NASL description The remote Redhat Enterprise Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:1544 advisory. - Ansible: code injection when using ansible_facts as a subkey (CVE-2020-10684) - Ansible: modules which use files encrypted with vault are not properly cleaned up (CVE-2020-10685) - ansible: insecure temporary directory when running become_user from become directive (CVE-2020-1733) - ansible: path injection on dest parameter in fetch module (CVE-2020-1735) - ansible: Extract-Zip function in win_unzip module does not check extracted path (CVE-2020-1737) - ansible: svn module leaks password when specified as a parameter (CVE-2020-1739) - ansible: secrets readable after ansible-vault edit (CVE-2020-1740) - ansible: Information disclosure issue in ldap_attr and ldap_entry modules (CVE-2020-1746) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-05 modified 2020-04-22 plugin id 135913 published 2020-04-22 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135913 title RHEL 7 : Ansible security and bug fix update (2.7.17) (Important) (RHSA-2020:1544) NASL family Fedora Local Security Checks NASL id FEDORA_2020-1B6CE91E37.NASL description Update to upstream bugfix and security update 2.9.7. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELO G-v2.9.rst for a detailed list of changes. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-06 modified 2020-04-27 plugin id 135987 published 2020-04-27 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/135987 title Fedora 30 : ansible (2020-1b6ce91e37)
Redhat
| rpms |
|
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
- https://security.gentoo.org/glsa/202006-11
- https://www.debian.org/security/2021/dsa-4950
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/