CVE-2020-10684: Code Injection

March 24, 2020 (updated December 20, 2021)

When using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

References

bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
nvd.nist.gov/vuln/detail/CVE-2020-10684

Detect and mitigate CVE-2020-10684 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →