Ansible does not verify that the server hostname matches a domain name in certificates
Moderate severity
GitHub Reviewed
Published
Oct 10, 2018
to the GitHub Advisory Database
•
Updated Aug 31, 2023
Description
Published to the GitHub Advisory Database
Oct 10, 2018
Reviewed
Jun 16, 2020
Last updated
Aug 31, 2023
Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
References