A flaw was found in Ansible Engine when the module package or service is used and the parameter ‘use’ is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
CPE | Name | Operator | Version |
---|---|---|---|
ansible | ge | 2.9.0 | |
ansible | le | 2.9.5 | |
ansible | le | 2.7.16 | |
ansible | ge | 2.8.0 | |
ansible | le | 2.8.8 | |
ansible_tower | le | 3.3.4 | |
ansible_tower | ge | 3.6.0 | |
ansible_tower | le | 3.6.3 | |
ansible_tower | ge | 3.5.0 | |
ansible_tower | le | 3.5.5 |