PT-2020-5206 · Red Hat+3 · Ansible Engine+3

Damien Aumaitre

+1

·

Published

2020-03-12

·

Updated

2026-06-03

·

CVE-2020-10684

CVSS v3.1

7.9

High

VectorAV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H
Name of the Vulnerable Software and Affected Versions Ansible Engine versions 2.7.x through 2.7.17 Ansible Engine versions 2.8.x through 2.8.9 Ansible Engine versions 2.9.x through 2.9.6
Description A flaw was found in Ansible Engine when using ansible facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible facts after the clean. An attacker could take advantage of this by altering the ansible facts, such as ansible hosts, users, and any other key data, which would lead to privilege escalation or code injection.
Recommendations For Ansible Engine versions 2.7.x through 2.7.17, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x through 2.8.9, update to version 2.8.9 or later. For Ansible Engine versions 2.9.x through 2.9.6, update to version 2.9.6 or later. As a temporary workaround, consider disabling the use of ansible facts as a subkey of itself when inject is enabled to minimize the risk of exploitation.

Fix

Race Condition

Missing Authorization

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾
dbugs@ptsecurity.com

Weakness Enumeration

CWE-362CWE-862CWE-94CWE-250

Related Identifiers

ALT-PU-2020-1453
ALT-PU-2020-1490
BDU:2020-05829
CVE-2020-10684
DSA-4950-1
GHSA-P62G-JHG6-V3RQ
MGASA-2020-0217
OESA-2021-1349
OESA-2022-1950
OPENSUSE-SU-2022:0081-1
OPENSUSE-SU-2024:10615-1
OPENSUSE-SU-2024:14244-1
OPENSUSE-SU-2024:14536-1
OPENSUSE-SU-2025:15605-1
OPENSUSE-SU-2025:15753-1
OPENSUSE-SU-2026:10944-1
PYSEC-2020-207
RHSA-2020:1541
RHSA-2020:1542
RHSA-2020:1543
RHSA-2020:1544
SUSE-SU-2020:3309-1

Affected Products

Alt Linux
Ansible-Core
Ansible Engine
Astra Linux