CVE-2024-9902

EPSS 0.05%
Published 06.11.2024 10:15:06
Last modified 25.02.2025 20:15:36
Source secalert@redhat.com
Teams watchlist Login
Open Login

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

Affected products Warnungen 0 Metrics 2 CWE 1 References 9

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Collection URLhttps://github.com/ansible/ansible

≫

Package ansible-core

Default Statusunaffected

Version < 2.14.18rc1

Version 0

Status affected

Version < 2.15.13rc1

Version 2.15.0b1

Status affected

Version < 2.16.13rc1

Version 2.16.0b1

Status affected

Version < 2.17.6rc1

Version 2.17.0b1

Status affected

Version < 2.18.0rc2

Version 2.18.0b1

Status affected

VendorRed Hat

≫

Product Ansible Automation Platform Execution Environments

Default Statusaffected

Version < *

Version 3.0.1-96

Status unaffected

VendorRed Hat

≫

Product Ansible Automation Platform Execution Environments

Default Statusaffected

Version < *

Version 3.0.1-95

Status unaffected

VendorRed Hat

≫

Product Ansible Automation Platform Execution Environments

Default Statusaffected

Version < *

Version 2.9.27-32

Status unaffected

VendorRed Hat

≫

Product Ansible Automation Platform Execution Environments

Default Statusaffected

Version < *

Version 2.13.10-34

Status unaffected

VendorRed Hat

≫

Product Ansible Automation Platform Execution Environments

Default Statusaffected

Version < *

Version 2.18.0-2

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 8

Default Statusaffected

Version < *

Version 1:2.15.13-1.el8ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.4 for RHEL 9

Default Statusaffected

Version < *

Version 1:2.15.13-1.el9ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.5 for RHEL 8

Default Statusaffected

Version < *

Version 1:2.16.13-1.el8ap

Status unaffected

VendorRed Hat

≫

Product Red Hat Ansible Automation Platform 2.5 for RHEL 9

Default Statusaffected

Version < *

Version 1:2.16.13-1.el9ap

Status unaffected

VendorRed Hat

≫

Product Red Hat OpenStack Platform 17.1 for RHEL 9

Default Statusaffected

Version < *

Version 0:2.14.2-4.6.el9ost

Status unaffected

VendorRed Hat

≫

Product Red Hat Enterprise Linux 10

Default Statusunaffected

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.136

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
secalert@redhat.com	6.3	0.8	5.5	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L

CWE-863 Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.

https://access.redhat.com/errata/RHSA-2024:10762

https://access.redhat.com/errata/RHSA-2024:8969

https://access.redhat.com/errata/RHSA-2024:9894

https://access.redhat.com/errata/RHSA-2025:1861

https://access.redhat.com/security/cve/CVE-2024-9902

https://bugzilla.redhat.com/show_bug.cgi?id=2318271

https://nvd.nist.gov/vuln/detail/CVE-2024-9902

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9902

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9902

EUVD