PT-2018-5034 · Red Hat+4 · Ansible+4

Ypid

Published

2017-03-30

Updated

2025-03-28

CVE-2016-8614

CVSS v4.0

8.7

High

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Ansible versions prior to 2.2.0

Description A flaw was found in the apt key module, which does not properly verify key fingerprints. This allows a remote adversary to create an OpenPGP key that matches the short key ID and inject this key instead of the correct key.

Recommendations For versions prior to 2.2.0, update to version 2.2.0 or later to resolve the issue. As a temporary workaround, consider disabling the apt key module until a patch is available. Restrict access to the apt key module to minimize the risk of exploitation.

Exploit

Fix

Improperly Implemented Security Check for Standard

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-320CWE-358

Related Identifiers

ALT-PU-2017-1386

CVE-2016-8614

GHSA-CMWX-9M2H-X7V4

MGASA-2017-0164

OPENSUSE-SU-2017:2976-1

OPENSUSE-SU-2017:2978-1

PYSEC-2018-37

SUSE-SU-2020:3309-1

SUSE-SU-2024:1509-1

USN-7330-1

USN-7330-2

Affected Products

Alt Linux

Ansible

Ansible-Core

Linuxmint

Ubuntu

PT-2018-5034 · Red Hat+4 · Ansible+4

CVE-2016-8614

Weakness Enumeration

Related Identifiers

Affected Products

References · 170