Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zMnA0LWdtMmMtd21jaM4ABBBX
ansible-core Incorrect Authorization vulnerability
A flaw was found in Ansible. The ansible-core user module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the user module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zMnA0LWdtMmMtd21jaM4ABBBX
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 14 hours ago
Updated: about 5 hours ago
CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
Identifiers: GHSA-32p4-gm2c-wmch, CVE-2024-9902
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-9902
- https://access.redhat.com/security/cve/CVE-2024-9902
- https://bugzilla.redhat.com/show_bug.cgi?id=2318271
- https://github.com/ansible/ansible/commit/03794735d370db98a5ec2ad514fab2b0dd22d6be
- https://github.com/ansible/ansible/commit/03daf774d0d80fb7235910ed1c2b4fbcaebdfe65
- https://github.com/ansible/ansible/commit/3b6de811abea0a811e03e3029222a7e459922892
- https://github.com/ansible/ansible/commit/9d7312f695639e804d2caeb1d0f51c716a9ac7dd
- https://github.com/ansible/ansible/commit/f7be90626da3035c697623dcf9c90b7a0bc91c92
- https://access.redhat.com/errata/RHSA-2024:8969
- https://github.com/advisories/GHSA-32p4-gm2c-wmch
Blast Radius: 21.0
Affected Packages
pypi:ansible-core
Dependent packages: 53Dependent repositories: 2,140
Downloads: 5,630,421 last month
Affected Version Ranges: >= 2.18.0b1, < 2.18.0rc2, >= 2.17.0b1, < 2.17.6rc1, >= 2.16.0b1, < 2.16.13rc1, >= 2.15.0b1, < 2.15.13rc1, < 2.14.18rc1
Fixed in: 2.18.0rc2, 2.17.6rc1, 2.16.13rc1, 2.15.13rc1, 2.14.18rc1
All affected versions: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.13.10, 2.13.11, 2.13.12, 2.13.13, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 2.14.11, 2.14.12, 2.14.13, 2.14.14, 2.14.15, 2.14.16, 2.14.17, 2.15.0, 2.15.0-b1, 2.15.0-b2, 2.15.0-b3, 2.15.0-rc1, 2.15.0-rc2, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.15.7, 2.15.8, 2.15.9, 2.15.10, 2.15.11, 2.15.12, 2.16.0, 2.16.0-b1, 2.16.0-b2, 2.16.0-rc1, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6, 2.16.7, 2.16.8, 2.16.9, 2.16.10, 2.16.11, 2.16.12, 2.17.0, 2.17.0-b1, 2.17.0-rc1, 2.17.0-rc2, 2.17.1, 2.17.2, 2.17.3, 2.17.4, 2.17.5, 2.18.0-b1, 2.18.0-rc1
All unaffected versions: 2.14.18, 2.15.13, 2.16.13, 2.17.6, 2.18.0