CVE-2020-14365

Public on 2020-09-23
Modified on 2024-02-10
Description
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
Severity
Important severity
Important
CVSS v3 Base Score
7.1
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2 - Ansible2 Extra ansible 2023-08-21 ALAS2ANSIBLE2-2023-005 Fixed
Amazon Linux 2023 ansible-core Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
NVD CVSSv2 6.6 AV:L/AC:L/Au:N/C:N/I:C/A:C
NVD CVSSv3 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H