Homepage
About Snyk

Improper Verification of Cryptographic Signature Affecting ansible package, versions [2.8.0,2.8.15) [2.9.0,2.9.13)

0.0
high

Snyk CVSS

    Attack Complexity Low
    Integrity High

    Threat Intelligence

    EPSS 0.04% (12th percentile)
Expand this section
NVD
7.1 high
Expand this section
SUSE
6.3 medium
Expand this section
Red Hat
6.3 medium

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-PYTHON-ANSIBLE-1012562
  • published 24 Sep 2020
  • disclosed 24 Sep 2020
  • credit Unknown
Report a new vulnerability Found a mistake?

Introduced: 24 Sep 2020

CVE-2020-14365 Open this link in a new tab
CWE-347 Open this link in a new tab

How to fix?

Upgrade ansible to version 2.8.15, 2.9.13 or higher.

Overview

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behaviour. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

References