What is CVE-2020-10684?

CVE-2020-10684 is a high-severity vulnerability in Red Hat Ansible, classified under Code Injection. CVSS score: 7.9/10. Published 2020-03-24.

How severe is CVE-2020-10684?

High severity. CVSS v3 base score is 7.9 out of 10.

Is CVE-2020-10684 known to be exploited?

4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Red Hat Ansible

CVE-2020-10684

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the an…

Vulnerability class: RCE (Remote Code Execution)

EPSS: 0.000 (8.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.9 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H.

Affected products

Red Hat Ansible — versions all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.9, all Ansible 2.9.x versions prior to 2.9.6

Weakness classification (CWE)

Public proof-of-concept exploits

References

FEDORA-2020-1b6ce91e37 (vendor-advisory)
FEDORA-2020-3990f03ba3 (vendor-advisory)
FEDORA-2020-f80154b5b4 (vendor-advisory)
GLSA-202006-11 (vendor-advisory)
DSA-4950 (vendor-advisory)
bugzilla.redhat.com/show_bug.cgi

Frequently asked questions

What is CVE-2020-10684?: CVE-2020-10684 is a high-severity vulnerability in Red Hat Ansible, classified under Code Injection. CVSS score: 7.9/10. Published 2020-03-24.
How severe is CVE-2020-10684?: High severity. CVSS v3 base score is 7.9 out of 10.
Is CVE-2020-10684 known to be exploited?: 4 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.