Description
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
References (5)
Core 5
Core References
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94108
Exploit, Issue Tracking, Patch, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614
Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible-modules-core/pull/5353
Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible-modules-core/pull/5357
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible-modules-core/issues/5237
Scores
CVSS v3
6.3
EPSS
0.0246
EPSS Percentile
82.3%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Details
CWE
CWE-320
CWE-358
Status
published
Products (2)
pypi/ansible
0 - 2.2.0.0PyPI
redhat/ansible
< 2.2.0
Published
Jul 31, 2018
Tracked Since
Feb 18, 2026