PT-2024-39926 · Ansible+1 · Ansible+1

Matt Clay

Published

2024-09-17

Updated

2026-06-03

CVE-2024-9902

CVSS v3.1

6.3

Medium

Vector

AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

Name of the Vulnerable Software and Affected Versions Ansible (affected versions not specified)

Description A flaw was found in Ansible's ansible-core user module, allowing an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the user module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-863

Related Identifiers

AZL-52384

AZL-52417

BDU:2025-12356

CVE-2024-9902

DLA-3963-1

GHSA-32P4-GM2C-WMCH

MGASA-2025-0052

OESA-2024-2510

OESA-2024-2511

OESA-2024-2512

OESA-2024-2513

OPENSUSE-SU-2024:14498-1

OPENSUSE-SU-2024:14499-1

OPENSUSE-SU-2024:14537-1

OPENSUSE-SU-2025:15638-1

OPENSUSE-SU-2025:15754-1

OPENSUSE-SU-2026:10945-1

RHSA-2024:10762

RHSA-2024:9894

RHSA-2025:1861

Affected Products

Ansible

Astra Linux

PT-2024-39926 · Ansible+1 · Ansible+1

CVE-2024-9902

Weakness Enumeration

Related Identifiers

Affected Products

References · 68