Incorrect Authorization Affecting ansible-core package, versions [,2.14.18rc1) [2.15.0b1,2.15.13rc1) [2.16.0b1,2.16.13rc1) [2.17.0b1,2.17.6rc1) [2.18.0b1,2.18.0rc2)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ANSIBLECORE-8349549
- published 7 Nov 2024
- disclosed 6 Nov 2024
- credit Matt Clay
Introduced: 6 Nov 2024
New CVE-2024-9902 Open this link in a new tabHow to fix?
Upgrade ansible-core to version 2.14.18rc1, 2.15.13rc1, 2.16.13rc1, 2.17.6rc1, 2.18.0rc2 or higher.
Overview
ansible-core is an a radically simple IT automation system. It handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. Ansible makes complex changes like zero-downtime rolling updates with load balancers easy.
Affected versions of this package are vulnerable to Incorrect Authorization through the user module. An attacker can modify or replace file contents and take ownership of files on any system path by exploiting directory traversal permissions.
Note:
This is only exploitable if someone with root privileges uses the user module with the generate_ssh_key option (disabled by default) and targets an unprivileged user. The unprivileged user needs to have traversal permissions on the directory containing the exploited target file.