CVE-2016-8614

Impact:
Moderate
Public Date:
2016-11-01
CWE:
CWE-358
Bugzilla:
1388038: CVE-2016-8614 ansible: Improper verification of key fingerprints in apt_key module

The MITRE CVE dictionary describes this issue as:

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

Find out more about CVE-2016-8614 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v2 metrics

NOTE: The following CVSS v2 metrics and score provided are preliminary and subject to review.

Base Score 6.8
Base Metrics AV:N/AC:M/Au:N/C:P/I:P/A:P
Access Vector Network
Access Complexity Medium
Authentication None
Confidentiality Impact Partial
Integrity Impact Partial
Availability Impact Partial

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 6.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity Impact Low
Availability Impact Low

Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).

Affected Packages State

Platform Package State
Red Hat Storage Console 2 ansible Not affected
Red Hat OpenStack Platform 10 ansible Not affected
Red Hat OpenShift Enterprise 3 ansible Not affected
Red Hat Gluster Storage 3.0 ansible Not affected
Last Modified

CVE description copyright © 2017, The MITRE Corporation