Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2024-9902

Good to know:

icon
icon
icon

Date: November 6, 2024

A flaw was found in Ansible. The ansible-core "user" module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the "user" module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.

Language: Python

Severity Score

Related Resources (11)

https://access.redhat.com/security/cve/CVE-2024-9902
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/03794735d370db98a5ec2ad514fab2b0dd22d6be
https://bugzilla.redhat.com/show_bug.cgi?id=2318271
https://access.redhat.com/errata/RHSA-2024:8969
https://github.com/ansible/ansible/commit/f7be90626da3035c697623dcf9c90b7a0bc91c92
https://github.com/ansible/ansible/commit/03daf774d0d80fb7235910ed1c2b4fbcaebdfe65
https://github.com/ansible/ansible/commit/9d7312f695639e804d2caeb1d0f51c716a9ac7dd
https://github.com/ansible/ansible/commit/3b6de811abea0a811e03e3029222a7e459922892
https://nvd.nist.gov/vuln/detail/CVE-2024-9902
https://www.mend.io/vulnerability-database/CVE-2024-9902

Severity Score

Weakness Type (CWE)

Incorrect Authorization

CWE-863

Top Fix

icon

Upgrade Version

Upgrade to version ansible-core - 2.14.18,2.15.13,2.16.13,2.17.6

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): LOCAL
Attack Complexity (AC): HIGH
Privileges Required (PR): LOW
User Interaction (UI): REQUIRED
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): LOW

Do you need more information?

Contact Us