CVE-2022-4245
Privilege Escalation vulnerability in plexus-utils (Maven)
What is CVE-2022-4245 About?
A flaw in Ansible Engine, affecting versions 2.7.x, 2.8.x, and 2.9.x, allows an attacker to select a malicious module if 'use' is not specified and a previous task ran with a malicious user. This can lead to privilege escalation by leveraging the ansible facts file. Exploitation depends on specific preconditions regarding previous task execution and attacker control over facts.
Affected Software
Technical Details
The vulnerability exists in Ansible Engine when using the 'package' or 'service' module without explicitly specifying the 'use' parameter. If a prior task within the Ansible playbook run was executed by a 'malicious' user (i.e., a user under attacker control or with compromised privileges), that user can manipulate the Ansible facts file. By modifying the ansible_facts to include a path to a malicious module or service, the attacker can trick subsequent Ansible tasks (that use 'package' or 'service' without 'use') into loading and executing their chosen malicious module instead of the intended one. This allows for privilege escalation, as the malicious module would run with the privileges of the Ansible controller or target host under which the vulnerable task is executed.
What is the Impact of CVE-2022-4245?
Successful exploitation may allow attackers to achieve privilege escalation, execute arbitrary code with higher privileges, or disrupt system operations.
What is the Exploitability of CVE-2022-4245?
Exploitation of this vulnerability is of moderate complexity. It requires prior access or control over a user account that executes a preceding Ansible task, and that user must be able to manipulate the Ansible facts file on the target system. The 'use' parameter must also be unspecified in the vulnerable 'package' or 'service' modules. This is typically a local exploitation scenario, leveraging compromised insider access or a pre-existing low-privilege compromise on the target host. No direct authentication requirements for the exploit itself, beyond the initial compromised user. The special conditions include the specific Ansible configuration and the attacker's ability to inject false facts. Risk factors include environments with less strict control over user permissions and Ansible playbook best practices (e.g., always specifying 'use').
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-4245?
Available Upgrade Options
- org.codehaus.plexus:plexus-utils
- <3.0.24 → Upgrade to 3.0.24
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/codehaus-plexus/plexus-utils/issues/3
- https://bugzilla.redhat.com/show_bug.cgi?id=2149843
- https://access.redhat.com/errata/RHSA-2023:3906
- https://osv.dev/vulnerability/GHSA-jcwr-x25h-x5fh
- https://access.redhat.com/errata/RHSA-2023:2135
- https://github.com/codehaus-plexus/plexus-utils
- https://bugzilla.redhat.com/show_bug.cgi?id=2149843
- https://access.redhat.com/errata/RHSA-2023:3906
- https://security.snyk.io/vuln/SNYK-JAVA-ORGCODEHAUSPLEXUS-461102
- https://github.com/codehaus-plexus/plexus-utils/commit/f933e5e78dc2637e485447ed821fe14904f110de
What are Similar Vulnerabilities to CVE-2022-4245?
Similar Vulnerabilities: CVE-2021-36222 , CVE-2020-1737 , CVE-2020-1739 , CVE-2019-3829 , CVE-2019-3870
