CVE-2016-8614
Ansible apt_key module does not properly verify key fingerprint
7.5
HIGH
CVSS 3.1
EPSS 0.10%
Description
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
How to fix CVE-2016-8614
To remediate CVE-2016-8614, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.0.0-1 or later
- —upgrade to 2.2.0.0 or later
- —upgrade to 2.2.0.0 or later
Is CVE-2016-8614 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.2.0.0-1
- from 0, < 2.2.0.0
- from 0, < 2.2.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |