CVE-2016-8614

MEDIUM

Ansible <2.2.0 - OpenPGP Key Injection

Title source: llm

Description

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

References (5)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/94108

[Exploit, Issue Tracking, Patch, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614

[Third Party Advisory] https://github.com/ansible/ansible-modules-core/pull/5353

[Third Party Advisory] https://github.com/ansible/ansible-modules-core/pull/5357

[Exploit, Third Party Advisory] https://github.com/ansible/ansible-modules-core/issues/5237

Scores

CVSS v3 6.3

EPSS 0.0008

EPSS Percentile 23.2%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

Details

CWE

CWE-320 CWE-358

Status published

Products (2)

pypi/ansible 0 - 2.2.0.0PyPI

redhat/ansible < 2.2.0

Published Jul 31, 2018

Tracked Since Feb 18, 2026