CVE-2024-9902

Advisory

Affected versions of Ansible are vulnerable to Incorrect Authorization (CWE-863). This flaw allows unprivileged users to silently create or replace any file on the system and assume ownership when a privileged user executes the user module against the unprivileged user's home directory. The attack requires the attacker to have traversal permissions on the directory containing the target file. To exploit, an attacker leverages these permissions to manipulate file contents.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/advisories/GHSA-32p4-gm2c-wmch
• https://github.com/ansible/ansible/commit/f7be90626da3035c697623dcf9c90b7a0bc91c92
• https://github.com/ansible/ansible/commit/9d7312f695639e804d2caeb1d0f51c716a9ac7dd
• https://github.com/ansible/ansible/commit/3b6de811abea0a811e03e3029222a7e459922892
• https://github.com/ansible/ansible/commit/03daf774d0d80fb7235910ed1c2b4fbcaebdfe65
• https://github.com/ansible/ansible/commit/03794735d370db98a5ec2ad514fab2b0dd22d6be
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9902