CVE-2020-10684: 
Ansible Tower vulnerability analysis and mitigation

CVE-2020-10684 is a vulnerability discovered in Ansible Engine affecting all versions 2.7.x, 2.8.x, and 2.9.x prior to 2.7.17, 2.8.9, and 2.9.6 respectively. The vulnerability was discovered by Damien Aumaitre and Nicolas Surbayrole from Quarkslab and was disclosed in March 2020 (Red Hat Bugzilla).

The vulnerability occurs when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, which results in overwriting the ansible_facts after the clean. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) by NIST with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H, and a score of 7.9 (HIGH) by Red Hat with vector CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H (NVD).

An attacker could exploit this vulnerability by altering the ansible_facts, such as ansible_hosts, users, and any other key data, which could lead to privilege escalation or code injection (Red Hat Bugzilla).

The vulnerability has been fixed in Ansible Engine versions 2.7.17, 2.8.9, and 2.9.6. Prior to patching, there is no known mitigation except avoiding the functionality of using ansible_facts as a subkey (Red Hat Bugzilla). Various distributions have released security updates including Fedora, Debian, and Gentoo (Gentoo Advisory, Debian Advisory).