The ansible-core `user` module contains an exploitable flaw that can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. Requirements to exploit (if any) - Someone with root privileges must use the `user` module with the`generate_ssh_key` option (disabled by default) and targeting an unprivileged user. - Access to the same unprivileged user on a system managed by the above automation.
Was it resolved upstream? I don't see any JIRA or Bugzilla trackers for our ansible products - is that an oversight?
It was, and it's referenced in changelogs and commits, but the Ansible community does not apparently issue GHSAs
In any case, this is not embargoed; there's public commits mentioning this issue.
This issue has been addressed in the following products: Ansible Automation Platform Execution Environments Via RHSA-2024:8969 https://access.redhat.com/errata/RHSA-2024:8969
Is this vulnerability applying also ansible-2.9.27-1.el8ae.noarch (cli mode only)?
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2024:9894 https://access.redhat.com/errata/RHSA-2024:9894
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2024:10762 https://access.redhat.com/errata/RHSA-2024:10762
This issue has been addressed in the following products: Red Hat OpenStack Platform 17.1 for RHEL 9 Via RHSA-2025:1861 https://access.redhat.com/errata/RHSA-2025:1861