ansible: Multiple vulnerabilities (CVE-2018-10874, CVE-2018-10875, CVE-2018-16837, CVE-2018-16876, CVE-2019-3828, CVE-2019-10156)
CVE-2018-10874: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
Fixed In Version:
ansible 2.4.6, 2.5.6, 2.6.1, 2.7.0 and newer is not affected
References:
https://github.com/ansible/ansible/pull/42067 https://github.com/ansible/ansible/commit/1f80949f964a946773f9d3ac1899535bd2cc2b8e
CVE-2018-10875: ansible.cfg is being read from current working directory allowing possible code execution
It was found that ansible.cfg is being read from current working directory, which cam be made to point to plugin or module paths that are under control of the attacker, allowing to execute arbitrary code.
Fixed In Version:
ansible 2.4.6, 2.5.6, 2.6.1, 2.7.0 and newer is not affected
References:
https://github.com/ansible/ansible/pull/42070 https://github.com/ansible/ansible/commit/4cecbe81adbc655d7ab734165d3ac539f8ba5981
CVE-2018-16837: Information leak in "user" module
"User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
Fixed In Version:
ansible 2.7.1, 2.6.7 and 2.5.11
References:
https://github.com/ansible/ansible/pull/47436 https://nvd.nist.gov/vuln/detail/CVE-2018-16837
CVE-2018-16876: Information disclosure in vvv+ mode with no_log on
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.
References:
https://github.com/ansible/ansible/pull/49569 https://nvd.nist.gov/vuln/detail/CVE-2018-16876
Patch:
https://github.com/ansible/ansible/commit/4c6d714aefb05366cb329e139214c89ebb364899
CVE-2019-3828: path traversal in the fetch module
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
References:
https://github.com/ansible/ansible/pull/52133 https://nvd.nist.gov/vuln/detail/CVE-2019-3828
CVE-2019-10156: unsafe template evaluation of returned module data can lead to information disclosure
Fixed In Version:
ansible 2.6.18, 2.7.12, and 2.8.2
References:
https://github.com/ansible/ansible/pull/57188