A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
CPE | Name | Operator | Version |
---|---|---|---|
ubuntu_linux | eq | 16.04 | |
ubuntu_linux | eq | 18.04 | |
ubuntu_linux | eq | 19.04 | |
debian_linux | eq | 9.0 | |
debian_linux | eq | 8.0 | |
ansible_engine | eq | 2.5 | |
ansible_engine | eq | 2.0 | |
ansible_engine | eq | 2.4 | |
ansible_engine | eq | 2.6 | |
ceph_storage | eq | 3.0 |
lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
www.securitytracker.com/id/1041396
access.redhat.com/errata/RHBA-2018:3788
access.redhat.com/errata/RHSA-2018:2150
access.redhat.com/errata/RHSA-2018:2151
access.redhat.com/errata/RHSA-2018:2152
access.redhat.com/errata/RHSA-2018:2166
access.redhat.com/errata/RHSA-2018:2321
access.redhat.com/errata/RHSA-2018:2585
access.redhat.com/errata/RHSA-2019:0054
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875
lists.debian.org/debian-lts-announce/2019/09/msg00016.html
usn.ubuntu.com/4072-1/
www.debian.org/security/2019/dsa-4396