Loading
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
Cite this page
CVE-2020-10684. CVEDatabase.com. Retrieved 1 May 2026. https://cvedatabase.com/cve/CVE-2020-10684
Use CWE-94, Redhat vendor hub and Ansible product page to widen CVE-2020-10684 into its surrounding weakness, vendor, and product context.
Compare it with CVE-2022-3697, CVE-2019-14904 and CVE-2023-5764 for nearby disclosures in the same product family.