Login Sign Up

CVE-2024-9902

6.3 MEDIUM

📋 TL;DR

This vulnerability in Ansible's user module allows an unprivileged user to create or replace any file on the system and take ownership when a privileged user runs the module against their home directory. It affects systems where Ansible is used with the vulnerable user module, particularly in multi-user environments with privilege separation.

💻 Affected Systems

Products:
  • ansible-core
  • Ansible Automation Platform
Versions: ansible-core 2.14.0 through 2.16.6, Ansible Automation Platform 2.4 and earlier
Operating Systems: Linux, Unix-like systems
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is triggered when privileged users run the user module against unprivileged user home directories. Requires specific directory traversal permissions for full exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:
  1. Review the CVE details at NVD
  2. Check vendor security advisories for your specific version
  3. Test if the vulnerability is exploitable in your environment
  4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could replace critical system files (like /etc/passwd, /etc/shadow), gain root privileges, or disrupt system operations by corrupting configuration files.

🟠

Likely Case

An unprivileged user could escalate privileges by modifying files they shouldn't have access to, potentially gaining control over services or other user accounts.

🟢

If Mitigated

With proper access controls and monitoring, impact is limited to specific directories where the unprivileged user has traversal permissions.

🌐 Internet-Facing: LOW - This vulnerability requires local access and privileged user interaction with the vulnerable module.
🏢 Internal Only: MEDIUM - Risk exists in environments where Ansible is used for user management and unprivileged users can influence privileged operations.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires an unprivileged user account, a privileged user to execute the vulnerable module, and specific directory permissions. No public exploits have been reported.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ansible-core 2.16.7 and later, Ansible Automation Platform 2.4 with errata updates

Vendor Advisory: https://access.redhat.com/security/cve/CVE-2024-9902

Restart Required: No

Instructions:

1. Update ansible-core to version 2.16.7 or later using your package manager. 2. For Ansible Automation Platform, apply the relevant RHSA patches: RHSA-2024:10762, RHSA-2024:8969, RHSA-2024:9894, or RHSA-2025:1861. 3. Verify the update with 'ansible --version'.

🔧 Temporary Workarounds

Restrict user module usage

linux

Limit execution of the user module to trusted administrators only and avoid running it against untrusted user home directories.

# Implement Ansible role-based access control
# Use become: false for user module tasks when possible

File system permissions hardening

linux

Restrict directory traversal permissions for unprivileged users on critical system paths.

chmod o-x /usr/bin
chmod o-x /etc
chmod o-x /var

🧯 If You Can't Patch

  • Implement strict access controls on Ansible execution - only allow trusted administrators to run playbooks with the user module.
  • Monitor and audit all user module executions, particularly those targeting home directories of unprivileged users.

🔍 How to Verify

Check if Vulnerable:

Check ansible-core version with 'ansible --version'. If version is between 2.14.0 and 2.16.6 inclusive, the system is vulnerable.

Check Version:

ansible --version | grep 'ansible-core'

Verify Fix Applied:

After patching, verify ansible-core version is 2.16.7 or later. Test user module functionality to ensure it still works correctly.

📡 Detection & Monitoring

Log Indicators:

  • Ansible logs showing user module execution against home directories
  • Unexpected file ownership changes in system logs
  • Failed file operations in Ansible task logs

Network Indicators:

  • N/A - This is a local privilege escalation vulnerability

SIEM Query:

source="ansible.log" AND "user module" AND "home" AND ("failed" OR "changed")

📊 Metadata

CVE ID: CVE-2024-9902
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L
CWE: CWE-863
Published: November 6, 2024
Last Updated: November 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-9902, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)