Bug 2318271 (CVE-2024-9902)

Summary: CVE-2024-9902 ansible-core: Ansible-core user may read/write unauthorized content
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: brking, eglynn, haoli, hkataria, jajackso, jcammara, jjoyce, jmitchel, jneedle, jschluet, kegrant, koliveir, kshier, lhh, lsvaty, mabashia, mburns, mgarciac, mihai.albert, pbraun, pgrist, rhos-maint, security-response-team, shrjoshi, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, tvignaud, yguenane
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2333128    
Bug Blocks:    

Description OSIDB Bzimport 2024-10-12 02:47:40 UTC 
The ansible-core `user` module contains an exploitable flaw that can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file,
they retain full control over the contents of the file as its owner.

Requirements to exploit (if any)
- Someone with root privileges must use the `user` module with
the`generate_ssh_key` option (disabled by default) and targeting an
unprivileged user.
- Access to the same unprivileged user on a system managed by the above
automation.
Comment 1 Lon Hohberger 2024-11-04 17:53:11 UTC 
Was it resolved upstream? I don't see any JIRA or Bugzilla trackers for our ansible products - is that an oversight?
Comment 2 Lon Hohberger 2024-11-04 17:56:28 UTC 
It was, and it's referenced in changelogs and commits, but the Ansible community does not apparently issue GHSAs
Comment 3 Lon Hohberger 2024-11-04 17:57:08 UTC 
In any case, this is not embargoed; there's public commits mentioning this issue.
Comment 4 errata-xmlrpc 2024-11-06 17:12:36 UTC 
This issue has been addressed in the following products:

  Ansible Automation Platform Execution Environments

Via RHSA-2024:8969 https://access.redhat.com/errata/RHSA-2024:8969
Comment 5 mihai.albert 2024-11-13 16:14:53 UTC 
Is this vulnerability applying also ansible-2.9.27-1.el8ae.noarch (cli mode only)?
Comment 6 errata-xmlrpc 2024-11-18 16:52:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2024:9894 https://access.redhat.com/errata/RHSA-2024:9894
Comment 7 errata-xmlrpc 2024-12-03 16:17:20 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:10762 https://access.redhat.com/errata/RHSA-2024:10762
Comment 8 errata-xmlrpc 2025-02-25 19:36:04 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 17.1 for RHEL 9

Via RHSA-2025:1861 https://access.redhat.com/errata/RHSA-2025:1861