Miggo Logo
Miggo Vulnerability Database
CVE-2016-8614

CVE-2016-8614:
Ansible apt_key module does not properly verify key fingerprint

7.5

CVSS Score
3.0

Basic Information

CVE ID
CVE-2016-8614
GHSA ID
GHSA-cmwx-9m2h-x7v4
EPSS Score
0.27535%
CWE
CWE-358
Published
10/10/2018
Updated
9/3/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 0, < 2.2.0.02.2.0.0

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from improper handling of key IDs in the apt_key module. The commit diff shows a reversal of return values from parse_key_id in the main function. Originally, key_id was set to the first return value (short_key_id), leading to verification based on insecure short IDs. The patch corrected this by assigning key_id to the full fingerprint value. The main function's incorrect variable assignment prior to the patch directly caused the security check bypass.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *oun* in *nsi*l* ***or* v*rsion *.*.*.*. T** `*pt_k*y` mo*ul* *o*s not prop*rly v*ri*y k*y *in**rprints, *llowin* r*mot* **v*rs*ry to *r**t* *n Op*nP*P k*y w*i** m*t***s t** s*ort k*y I* *n* inj**t t*is k*y inst*** o* t** *orr**t k*y.

Reasoning

T** vuln*r**ility st*mm** *rom improp*r **n*lin* o* k*y I*s in t** *pt_k*y mo*ul*. T** *ommit *i** s*ows * r*v*rs*l o* r*turn v*lu*s *rom p*rs*_k*y_i* in t** m*in *un*tion. Ori*in*lly, k*y_i* w*s s*t to t** *irst r*turn v*lu* (s*ort_k*y_i*), l***in*