CVE-2016-8614

Description

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Affected products

Red Hat / Ansible2.2.0 – 2.2.0

References

MISChttp://www.securityfocus.com/bid/94108
MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614
PATCHhttps://github.com/ansible/ansible-modules-core/pull/5353
PATCHhttps://github.com/ansible/ansible-modules-core/pull/5357
MISChttps://github.com/ansible/ansible-modules-core/issues/5237