Main Vulnerability Database SB20200930123

SB20200930123 - Multiple vulnerabilities in Ansible Automation Platform 1.0 packages

Published: September 30, 2020 Updated: April 24, 2025

Security Bulletin ID SB20200930123

Severity

Low

Patch available

YES

Number of vulnerabilities 2

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cross-site scripting (CVE-ID: CVE-2020-25626)

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

2) Improper Verification of Cryptographic Signature (CVE-ID: CVE-2020-14365)

The vulnerability allows a local authenticated user to #BASIC_IMPACT#.

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Remediation

Install update from vendor's website.

References

https://access.redhat.com/errata/RHSA-2020:4137