CVE-2013-2233: Ansible fails to cache SSH host keys
7.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.58028%
CWE
-
Published
10/10/2018
Updated
11/18/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ansible | pip | < 1.2.1 | 1.2.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from Ansible's Paramiko SSH implementation using AutoAddPolicy by default, which doesn't validate host keys against known hosts. The GitHub issue #857 and Red Hat bug report explicitly reference line 78 of paramiko_ssh.py where host key policy is set. The missing call to ssh.load_system_host_keys() and use of AutoAddPolicy instead of a verification policy directly enables the insecure behavior. The connection establishment logic in _connect() is the root cause.