CVE-2016-8614
First published: Tue Jul 31 2018(Updated: )
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Ansible | <2.2.0 | |
| pip/ansible | >=0<2.2.0.0 | 2.2.0.0 |
| <2.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/94108
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614
- https://github.com/ansible/ansible-modules-core/issues/5237
- https://github.com/ansible/ansible-modules-core/pull/5353
- https://github.com/ansible/ansible-modules-core/pull/5357
- https://nvd.nist.gov/vuln/detail/CVE-2016-8614
- https://github.com/advisories/GHSA-cmwx-9m2h-x7v4 (Advisory)
- https://github.com/ansible/ansible-modules-core/commit/1182d1f0b76d56f3667e27987a10b9ec8f03357d
- https://github.com/ansible/ansible-modules-core/commit/66d47c8149d84e52f64b7c4d1f340d45dca94d9c
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-37.yaml
- https://web.archive.org/web/20200227214450/https://www.securityfocus.com/bid/94108
Frequently Asked Questions
What is CVE-2016-8614?
CVE-2016-8614 is a vulnerability in Ansible before version 2.2.0 that allows a remote adversary to create a malicious OpenPGP key.
What is the severity of CVE-2016-8614?
The severity of CVE-2016-8614 is high, with a CVSS score of 7.5.
How does CVE-2016-8614 affect Ansible?
CVE-2016-8614 affects Ansible before version 2.2.0, specifically the apt_key module.
How can an attacker exploit CVE-2016-8614?
An attacker can exploit CVE-2016-8614 by creating an OpenPGP key that matches the short key ID and injecting it instead of the correct key.
Is there a fix for CVE-2016-8614?
Yes, the fix for CVE-2016-8614 is to upgrade to Ansible version 2.2.0 or later.
- collector/nvd-index
- agent/weakness
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-cmwx-9m2h-x7v4
- alias/CVE-2016-8614
- agent/software-canonical-lookup
- agent/last-modified-date
- agent/severity
- agent/references
- agent/description
- agent/author
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- vendor/redhat
- canonical/redhat ansible
- package-manager/pip