CVE-2024-9902 Ansible-core: ansible-core user may read/write unauthorized content

🗓️ 06 Nov 2024 09:56:54Reported by redhatType

CVE-2024-9902 Ansible-core: user read/write unauthorized conten

Reporter	Title	Published	Views	Family All 84
IBM Security Bulletins	Security Bulletin: IBM Watson Speech Services Cartridge v5.1.1 is vulnerable to multiple Operator package issues	2 Apr 202517:43	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion HCI and IBM Fusion HCI for watsonx	31 May 202514:07	–	ibm
IBM Security Bulletins	Security Bulletin: IBM Security SOAR is using a component with a known vulnerability (CVE-2024-11079)	28 May 202615:37	–	ibm
IBM Security Bulletins	Security Bulletin: There are multiple vulnerabilities that can affect IBM Fusion	31 May 202514:06	–	ibm
Tenable Nessus	Amazon Linux 2023 : ansible-core, ansible-test (ALAS2023-2025-918)	1 Apr 202500:00	–	nessus
Tenable Nessus	Azure Linux 3.0 Security Update: ansible (CVE-2024-9902)	11 Jul 202500:00	–	nessus
Tenable Nessus	Debian dla-3963 : ansible - security update	24 Nov 202400:00	–	nessus
Tenable Nessus	Fedora 44 : ansible / ansible-core (2025-2842f20915)	11 Dec 202500:00	–	nessus
Tenable Nessus	CBL Mariner 2.0 Security Update: ansible (CVE-2024-9902)	11 Jul 202500:00	–	nessus
Tenable Nessus	NewStart CGSL MAIN 7.02 : ansible-core Multiple Vulnerabilities (NS-SA-2025-0114)	25 Jul 202500:00	–	nessus

[
  {
    "versions": [
      {
        "status": "affected",
        "version": "0",
        "lessThan": "2.14.18rc1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2.15.0b1",
        "lessThan": "2.15.13rc1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2.16.0b1",
        "lessThan": "2.16.13rc1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2.17.0b1",
        "lessThan": "2.17.6rc1",
        "versionType": "custom"
      },
      {
        "status": "affected",
        "version": "2.18.0b1",
        "lessThan": "2.18.0rc2",
        "versionType": "custom"
      }
    ],
    "packageName": "ansible-core",
    "collectionURL": "https://github.com/ansible/ansible",
    "defaultStatus": "unaffected"
  },
  {
    "vendor": "Red Hat",
    "product": "Ansible Automation Platform Execution Environments",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "ansible-automation-platform/ansible-builder-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "3.0.1-96",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_core:2::el9",
      "cpe:/a:redhat:ansible_core:2::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Ansible Automation Platform Execution Environments",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "ansible-automation-platform/ansible-builder-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "3.0.1-95",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_core:2::el9",
      "cpe:/a:redhat:ansible_core:2::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Ansible Automation Platform Execution Environments",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "ansible-automation-platform/ee-29-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.9.27-32",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_core:2::el9",
      "cpe:/a:redhat:ansible_core:2::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Ansible Automation Platform Execution Environments",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "ansible-automation-platform/ee-minimal-rhel8",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.14.13-21",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_core:2::el9",
      "cpe:/a:redhat:ansible_core:2::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Ansible Automation Platform Execution Environments",
    "collectionURL": "https://catalog.redhat.com/software/containers/",
    "packageName": "ansible-automation-platform/ee-minimal-rhel9",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "2.17.6-2",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_core:2::el9",
      "cpe:/a:redhat:ansible_core:2::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1:2.15.13-1.el8ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1:2.15.13-1.el9ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1:2.16.13-1.el8ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.5 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "1:2.16.13-1.el9ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2.5::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.5::el8",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el9",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.5::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.5::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat OpenStack Platform 17.1 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "openstack-ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:2.14.2-4.6.el9ost",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:openstack:17.1::el9"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux 10",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "unaffected",
    "cpes": [
      "cpe:/o:redhat:enterprise_linux:10"
    ]
  }
]

Source	Link
access	www.access.redhat.com/errata/RHSA-2025:1861
access	www.access.redhat.com/errata/RHSA-2024:9894
bugzilla	www.bugzilla.redhat.com/show_bug.cgi
access	www.access.redhat.com/errata/RHSA-2024:8969
access	www.access.redhat.com/security/cve/CVE-2024-9902
access	www.access.redhat.com/errata/RHSA-2024:10762

06 Nov 2025 23:17Current

CVSS 3.16.3

EPSS0.00222

CWE-863

cve-2024-9902; ansible-core; user module; unprivileged user; file manipulation; system path; ownership escalation; traversal permissions