CVE-2020-10684: Code Injection
(updated )
When using ansible_facts
as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts
after the clean. An attacker could take advantage of this by altering the ansible_facts
, such as ansible_hosts
, users and any other key data which would lead into privilege escalation or code injection.
References
Detect and mitigate CVE-2020-10684 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →