CVE-2020-14365

HIGH

Ansible Engine 2.8.0-2.8.14 and 2.9.0-2.9.12 - Improper Verification of Cryptographic Signature in DNF Module

Title source: llm

Description

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

References (2)

Core 2

Core References

Issue Tracking, Vendor Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1869154

Third Party Advisory vendor-advisory x_refsource_debian

https://www.debian.org/security/2021/dsa-4950

Scores

CVSS v3 7.1

EPSS 0.0007

EPSS Percentile 21.5%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Details

CWE

CWE-347

Status published

Products (9)

debian/debian_linux 10.0

pypi/ansible 2.8.0a1 - 2.8.15PyPI

redhat/ansible_engine 2.8.0 - 2.8.15

redhat/ansible_tower 3.0

redhat/ansible_tower 3.6.0 - 3.6.5

redhat/ceph_storage 2.0

redhat/ceph_storage 3.0

redhat/openstack_platform 10.0

redhat/openstack_platform 13.0

Published Sep 23, 2020

Tracked Since Feb 18, 2026