What is CVE-2020-14365?

CVE-2020-14365 is a vulnerability in Ansible, classified under Improper Verification of Cryptographic Signature. Published 2020-09-23.

Is CVE-2020-14365 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Ansible

CVE-2020-14365

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check…

EPSS: 0.001 (21.8th percentile) — read the EPSS interpretation.

Affected products

N/a Ansible — versions ansible-engine 2.8.15, ansible-engine 2.9.13

Weakness classification (CWE)

CWE-347 — Improper Verification of Cryptographic Signature

Public proof-of-concept exploits

References

bugzilla.redhat.com/show_bug.cgi (x_refsource_MISC)
DSA-4950 (vendor-advisory, x_refsource_DEBIAN)

Frequently asked questions

What is CVE-2020-14365?: CVE-2020-14365 is a vulnerability in Ansible, classified under Improper Verification of Cryptographic Signature. Published 2020-09-23.
Is CVE-2020-14365 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.