{"id":"PYSEC-2020-207","details":"A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.","aliases":["CVE-2020-10684","GHSA-p62g-jhg6-v3rq"],"modified":"2023-11-08T04:01:59.204492Z","published":"2020-03-24T14:15:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202006-11"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-p62g-jhg6-v3rq"}],"affected":[{"package":{"name":"ansible","ecosystem":"PyPI","purl":"pkg:pypi/ansible"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.7.0"},{"fixed":"2.7.17"},{"introduced":"2.8.0"},{"fixed":"2.8.9"},{"introduced":"2.9.0"},{"fixed":"2.9.6"}]}],"versions":["2.7.0","2.7.1","2.7.10","2.7.11","2.7.12","2.7.13","2.7.14","2.7.15","2.7.16","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7","2.7.8","2.7.9","2.8.0","2.8.1","2.8.2","2.8.3","2.8.4","2.8.5","2.8.6","2.8.7","2.8.8","2.9.0","2.9.1","2.9.2","2.9.3","2.9.4","2.9.5"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-207.yaml"}}],"schema_version":"1.7.3"}