CVE-2020-14365

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.
References
Link Resource
https://bugzilla.redhat.com/show_bug.cgi?id=1869154 Issue Tracking Vendor Advisory
https://www.debian.org/security/2021/dsa-4950 Third Party Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:3.0:*:*:*:*:*:*:*

Configuration 2 (hide)

OR cpe:2.3:a:redhat:ceph_storage:2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ceph_storage:3.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack_platform:10.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack_platform:13.0:*:*:*:*:*:*:*

Configuration 3 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

05 Apr 2022, 15:29

Type Values Removed Values Added
CPE cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
References
  • (DEBIAN) https://www.debian.org/security/2021/dsa-4950 - Third Party Advisory

Information

Published : 2020-09-23 13:15

Updated : 2024-02-04 21:23


NVD link : CVE-2020-14365

Mitre link : CVE-2020-14365

CVE.ORG link : CVE-2020-14365


JSON object : View

Products Affected

debian

  • debian_linux

redhat

  • ceph_storage
  • openstack_platform
  • ansible_tower
  • ansible_engine
CWE
CWE-347

Improper Verification of Cryptographic Signature