Search for vulnerabilities
Vulnerability details: VCID-nf9q-7p4u-8uer
Vulnerability ID VCID-nf9q-7p4u-8uer
Aliases CVE-2020-10684
GHSA-p62g-jhg6-v3rq
PYSEC-2020-207
Summary A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
Status Published
Exploitability 0.5
Weighted Severity 7.1
Risk 3.5
Affected and Fixed Packages Package Details
Weaknesses (6)
CWE-250 Execution with Unnecessary Privileges
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-862 Missing Authorization
CWE-94 Improper Control of Generation of Code ('Code Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10684.json
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
epss 0.00023 https://api.first.org/data/v1/epss?cve=CVE-2020-10684
cvssv3.1 7.1 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
cvssv3.1 7.1 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 7.1 https://github.com/advisories/GHSA-p62g-jhg6-v3rq
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-p62g-jhg6-v3rq
generic_textual MODERATE https://github.com/advisories/GHSA-p62g-jhg6-v3rq
cvssv3.1 7.1 https://github.com/ansible/ansible
generic_textual MODERATE https://github.com/ansible/ansible
cvssv3.1 7.1 https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0
generic_textual MODERATE https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0
cvssv3.1 7.1 https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb
generic_textual MODERATE https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb
cvssv3.1 7.1 https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b
generic_textual MODERATE https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b
cvssv3.1 7.1 https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
generic_textual MODERATE https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
cvssv3.1 7.1 https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml
cvssv3.1 7.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
cvssv3.1 7.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
cvssv3.1 7.1 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
cvssv2 3.6 https://nvd.nist.gov/vuln/detail/CVE-2020-10684
cvssv3.1 7.1 https://nvd.nist.gov/vuln/detail/CVE-2020-10684
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2020-10684
cvssv3.1 7.1 https://security.gentoo.org/glsa/202006-11
generic_textual MODERATE https://security.gentoo.org/glsa/202006-11
cvssv3.1 7.1 https://www.debian.org/security/2021/dsa-4950
generic_textual MODERATE https://www.debian.org/security/2021/dsa-4950
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10684.json
https://api.first.org/data/v1/epss?cve=CVE-2020-10684
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-p62g-jhg6-v3rq
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0
https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb
https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b
https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
https://nvd.nist.gov/vuln/detail/CVE-2020-10684
https://security.gentoo.org/glsa/202006-11
https://www.debian.org/security/2021/dsa-4950
1815519 https://bugzilla.redhat.com/show_bug.cgi?id=1815519
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible_tower:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*
cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:fedoraproject:fedora:32:*:*:*:*:*:*:*
RHSA-2020:1541 https://access.redhat.com/errata/RHSA-2020:1541
RHSA-2020:1542 https://access.redhat.com/errata/RHSA-2020:1542
RHSA-2020:1543 https://access.redhat.com/errata/RHSA-2020:1543
RHSA-2020:1544 https://access.redhat.com/errata/RHSA-2020:1544
No exploits are available.
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-10684.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/advisories/GHSA-p62g-jhg6-v3rq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/ansible/ansible
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/ansible/ansible/commit/0b4788a71fc7d24ffa957a94ee5e23d6a9733ab0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/ansible/ansible/commit/1d0d2645eed36ac4e17052ab4eacf240132d96fb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/ansible/ansible/commit/5eabf7bb93c9bfc375b806a2b1f623d650cddc2b
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-207.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:L/AC:L/Au:N/C:N/I:P/A:P Found at https://nvd.nist.gov/vuln/detail/CVE-2020-10684
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2020-10684
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://security.gentoo.org/glsa/202006-11
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H Found at https://www.debian.org/security/2021/dsa-4950
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.04518
EPSS Score 0.00023
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:08:39.205706+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2020-207.yaml 37.0.0