CVE-2020-14365

moderate-risk

Published 2020-09-23

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Do I need to act?

0.07% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 7.1/10 High

LOCAL / LOW complexity

Affected Products (8)

Ansible Engine

Ansible Tower

Ceph Storage

Openstack Platform

Debian Linux

Affected Vendors

Debian Redhat

References (4)

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1869154

Third Party Advisory https://www.debian.org/security/2021/dsa-4950

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=1869154

Third Party Advisory https://www.debian.org/security/2021/dsa-4950

/ 100

moderate-risk

Severity 22/34 · High

Exploitability 0/34 · Minimal

Exposure 14/34 · Moderate