CVE-2016-8614
MEDIUM severity · CVSS 6.3 · CWE-358
6.3CVSS MEDIUM
Summary
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges requiredNone
User interactionRequired
Confidentiality impactLow
Integrity impactLow
Availability impactLow
Exploit probability (EPSS)2%
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Affected products we track (1)
Recommendation
Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.
Official patch: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614 ↗
Additional information
- NVD record
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614Patch
- http://www.securityfocus.com/bid/94108Advisory
- https://github.com/ansible/ansible-modules-core/pull/5353Advisory
- https://github.com/ansible/ansible-modules-core/pull/5357Advisory
- https://github.com/ansible/ansible-modules-core/issues/5237Advisory