PRIOn knowledge basePRION:CVE-2018-10875Code injection
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ubuntu_linux | eq | 16.04 | |
| ubuntu_linux | eq | 18.04 | |
| ubuntu_linux | eq | 19.04 | |
| debian_linux | eq | 9.0 | |
| debian_linux | eq | 8.0 | |
| ansible_engine | eq | 2.5 | |
| ansible_engine | eq | 2.0 | |
| ansible_engine | eq | 2.4 | |
| ansible_engine | eq | 2.6 | |
| ceph_storage | eq | 3.0 |
References
lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
www.securitytracker.com/id/1041396
access.redhat.com/errata/RHBA-2018:3788
access.redhat.com/errata/RHSA-2018:2150
access.redhat.com/errata/RHSA-2018:2151
access.redhat.com/errata/RHSA-2018:2152
access.redhat.com/errata/RHSA-2018:2166
access.redhat.com/errata/RHSA-2018:2321
access.redhat.com/errata/RHSA-2018:2585
access.redhat.com/errata/RHSA-2019:0054
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875
lists.debian.org/debian-lts-announce/2019/09/msg00016.html
usn.ubuntu.com/4072-1/
www.debian.org/security/2019/dsa-4396
Related
