PYSEC-2020-209 — Vulnetix

PYSEC-2020-209 PUBLISHED CVSS 9.300000190734863 CRITICAL

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	ansible	2.8.0, 2.9.0, 2.8.0

Timeline

Sep 23, 2020 CVE Published
Nov 8, 2023 CVE Updated

References

https://bugzilla.redhat.com/show_bug.cgi?id=1869154 report
https://github.com/advisories/GHSA-m429-fhmv-c6q2 advisory

Open in Interactive Console →