Nicolas Surbayrole

**Name of the Vulnerable Software and Affected Versions** Ansible Engine versions 2.7.x through 2.7.17 Ansible Engine versions 2.8.x through 2.8.9 Ansible Engine versions 2.9.x through 2.9.6 **Description** A flaw was found in Ansible Engine when using `ansible facts` as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the `ansible facts` after the clean. An attacker could take advantage of this by altering the `ansible facts`, such as `ansible hosts`, `users`, and any other key data, which would lead to privilege escalation or code injection. **Recommendations** For Ansible Engine versions 2.7.x through 2.7.17, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x through 2.8.9, update to version 2.8.9 or later. For Ansible Engine versions 2.9.x through 2.9.6, update to version 2.9.6 or later. As a temporary workaround, consider disabling the use of `ansible facts` as a subkey of itself when inject is enabled to minimize the risk of exploitation.