CVE-2013-2233:
Ansible fails to cache SSH host keys
7.4
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.58028%
CWE
-
Published
10/10/2018
Updated
11/18/2024
KEV Status
No
Technology
Python
PythonTechnical Details
CVSS Vector
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ansible | pip | < 1.2.1 | 1.2.1 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from Ansible's Paramiko SSH implementation using AutoAddPolicy by default, which doesn't validate host keys against known hosts. The GitHub issue #857 and Red Hat bug report explicitly reference line 78 of paramiko_ssh.py where host key policy is set. The missing call to ssh.load_system_host_keys() and use of AutoAddPolicy instead of a verification policy directly enables the insecure behavior. The connection establishment logic in _connect() is the root cause.