Main Vulnerability Database Vulnerabilities #VU36806

Key management errors in Ansible - CVE-2016-8614

Published: July 31, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36806

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-8614

CWE-ID: CWE-320

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

How to mitigate CVE-2016-8614

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/94108
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614
https://github.com/ansible/ansible-modules-core/issues/5237
https://github.com/ansible/ansible-modules-core/pull/5353
https://github.com/ansible/ansible-modules-core/pull/5357

Key management errors in Ansible - CVE-2016-8614

Detailed vulnerability description

How to mitigate CVE-2016-8614

Sources

Please verify you're human