Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zeHZnLXg0N2oteDc1d83uSg
Ansible Improper Input Validation vulnerability
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
Permalink: https://github.com/advisories/GHSA-3xvg-x47j-x75wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zeHZnLXg0N2oteDc1d83uSg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 2 years ago
Updated: 2 months ago
CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-3xvg-x47j-x75w, CVE-2018-10874
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-10874
- https://access.redhat.com/errata/RHBA-2018:3788
- https://access.redhat.com/errata/RHSA-2018:2150
- https://access.redhat.com/errata/RHSA-2018:2151
- https://access.redhat.com/errata/RHSA-2018:2152
- https://access.redhat.com/errata/RHSA-2018:2166
- https://access.redhat.com/errata/RHSA-2018:2321
- https://access.redhat.com/errata/RHSA-2018:2585
- https://access.redhat.com/errata/RHSA-2019:0054
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874
- https://access.redhat.com/security/cve/CVE-2018-10874
- https://bugzilla.redhat.com/show_bug.cgi?id=1596528
- https://web.archive.org/web/20201130165946/http://www.securitytracker.com/id/1041396
- https://github.com/ansible/ansible/pull/42067
- https://github.com/ansible/ansible/commit/44874addc7ea136f83c67d5869047ece02645fdb
- https://github.com/ansible/ansible/commit/1f80949f964a946773f9d3ac1899535bd2cc2b8e
- https://github.com/ansible/ansible/commit/10d6fe6c98cfee9a7be0fea6102ba5dec951aec7
- https://usn.ubuntu.com/4072-1
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-81.yaml
- https://github.com/advisories/GHSA-3xvg-x47j-x75w
Blast Radius: 32.5
Affected Packages
pypi:ansible
Dependent packages: 125Dependent repositories: 14,706
Downloads: 5,784,674 last month
Affected Version Ranges: >= 2.6, < 2.6.1, >= 2.5, < 2.5.6, >= 0, < 2.4.6.0
Fixed in: 2.6.1, 2.5.6, 2.4.6.0
All affected versions: 1.2.1, 1.2.2, 1.2.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.7.1, 1.7.2, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.9.0, 1.9.1, 1.9.2, 1.9.3, 1.9.4, 1.9.5, 1.9.6, 2.0.0, 2.5.0, 2.5.1, 2.5.2, 2.5.3, 2.5.4, 2.5.5, 2.5.6, 2.5.7, 2.5.8, 2.5.9, 2.5.10, 2.5.11, 2.5.12, 2.5.13, 2.5.14, 2.5.15, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 2.6.7, 2.6.8, 2.6.9, 2.6.10, 2.6.11, 2.6.12, 2.6.13, 2.6.14, 2.6.15, 2.6.16, 2.6.17, 2.6.18, 2.6.19, 2.6.20, 2.7.0, 2.7.1, 2.7.2, 2.7.3, 2.7.4, 2.7.5, 2.7.6, 2.7.7, 2.7.8, 2.7.9, 2.7.10, 2.7.11, 2.7.12, 2.7.13, 2.7.14, 2.7.15, 2.7.16, 2.7.17, 2.7.18, 2.8.0, 2.8.1, 2.8.2, 2.8.3, 2.8.4, 2.8.5, 2.8.6, 2.8.7, 2.8.8, 2.8.9, 2.8.10, 2.8.11, 2.8.12, 2.8.13, 2.8.14, 2.8.15, 2.8.16, 2.8.17, 2.8.18, 2.8.19, 2.8.20, 2.9.0, 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5, 2.9.6, 2.9.7, 2.9.8, 2.9.9, 2.9.10, 2.9.11, 2.9.12, 2.9.13, 2.9.14, 2.9.15, 2.9.16, 2.9.17, 2.9.18, 2.9.19, 2.9.20, 2.9.21, 2.9.22, 2.9.23, 2.9.24, 2.9.25, 2.9.26, 2.9.27, 2.10.0, 2.10.1, 2.10.2, 2.10.3, 2.10.4, 2.10.5, 2.10.6, 2.10.7, 3.0.0, 3.1.0, 3.2.0, 3.3.0, 3.4.0, 4.0.0, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0, 4.6.0, 4.7.0, 4.8.0, 4.9.0, 4.10.0, 5.0.1, 5.1.0, 5.2.0, 5.3.0, 5.4.0, 5.5.0, 5.6.0, 5.7.0, 5.7.1, 5.8.0, 5.9.0, 5.10.0, 6.0.0, 6.1.0, 6.2.0, 6.3.0, 6.4.0, 6.5.0, 6.6.0, 6.7.0, 7.0.0, 7.1.0, 7.2.0, 7.3.0, 7.4.0, 7.5.0, 7.6.0, 7.7.0, 8.0.0, 8.1.0, 8.2.0, 8.3.0, 8.4.0, 8.5.0, 8.6.0, 8.6.1, 8.7.0, 9.0.0, 9.0.1, 9.1.0, 9.2.0, 9.3.0, 9.4.0, 9.5.0, 9.5.1, 9.6.0, 9.6.1, 9.7.0, 9.8.0, 9.9.0, 9.10.0, 9.11.0, 10.0.0, 10.0.1, 10.1.0, 10.2.0, 10.3.0, 10.4.0, 10.5.0
All unaffected versions: