CVE-2020-10684

HIGH EXPLOITED IN THE WILD

Ansible Engine <2.7.17, 2.8.9, 2.9.6 - Privilege Escalation/Code In...

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2020-10684 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io).

Description

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

References (6)

Core 6
Core References
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202006-11
Third Party Advisory vendor-advisory
https://www.debian.org/security/2021/dsa-4950

Scores

CVSS v3 7.9
EPSS 0.0003
EPSS Percentile 8.6%
Attack Vector LOCAL
CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H

Details

VulnCheck KEV 2024-05-10
InTheWild.io 2024-05-17
CWE
CWE-862 CWE-362 CWE-94
Status published
Products (9)
debian/debian_linux 10.0
fedoraproject/fedora 30
fedoraproject/fedora 31
fedoraproject/fedora 32
pypi/ansible 2.7.0a1 - 2.7.17PyPI
redhat/ansible 2.7.0 - 2.7.17
redhat/ansible_tower < 3.3.5
redhat/openstack 10
redhat/openstack 13
Published Mar 24, 2020
Tracked Since Feb 18, 2026