Main Vulnerability Database Vulnerabilities #VU36806

#VU36806 Key management errors in Ansible - CVE-2016-8614

Published: July 31, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36806

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2016-8614

CWE-ID: CWE-320

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ansible

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote non-authenticated attacker to manipulate data.

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

Remediation

Install update from vendor's website.

External links

http://www.securityfocus.com/bid/94108
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614
https://github.com/ansible/ansible-modules-core/issues/5237
https://github.com/ansible/ansible-modules-core/pull/5353
https://github.com/ansible/ansible-modules-core/pull/5357

#VU36806 Key management errors in Ansible - CVE-2016-8614

Description

Remediation

External links

Please verify you're human