Main Vulnerability Database SB2020090226

SB2020090226 - Ansible Engine 2 update for ansible

Published: September 2, 2020

Security Bulletin ID SB2020090226

Severity

Low

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Local access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-14365)

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2020:3600