Improper Verification of Cryptographic Signature

Affecting ansible package, versions [2.8.0,2.8.15) || [2.9.0,2.9.13)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behaviour. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Remediation

Upgrade ansible to version 2.8.15, 2.9.13 or higher.

References

CVSS Score

8.2
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    None
  • Integrity
    High
  • Availability
    Low
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L/E:U/RL:O/RC:R
Credit
Unknown
CVE
CVE-2020-14365
CWE
CWE-347
Snyk ID
SNYK-PYTHON-ANSIBLE-1012562
Disclosed
24 Sep, 2020
Published
24 Sep, 2020