Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for ansible by [UNKNOWN]

    CVE-2019-14856 (GCVE-0-2019-14856)

    Vulnerability from nvd – Published: 2019-11-26 13:01 – Updated: 2024-08-05 00:26
    VLAI
    Summary
    ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: 2.8.6
    Affected: 2.7.14
    Affected: 2.6.20
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T00:26:39.119Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2020:0756",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0756"
              },
              {
                "name": "openSUSE-SU-2020:0513",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
              },
              {
                "name": "openSUSE-SU-2020:0523",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.8.6"
                },
                {
                  "status": "affected",
                  "version": "2.7.14"
                },
                {
                  "status": "affected",
                  "version": "2.6.20"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-04T18:00:58.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2020:0756",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0756"
            },
            {
              "name": "openSUSE-SU-2020:0513",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
            },
            {
              "name": "openSUSE-SU-2020:0523",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2019-14856",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "2.8.6"
                              },
                              {
                                "version_value": "2.7.14"
                              },
                              {
                                "version_value": "2.6.20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None"
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "6.4/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2020:0756",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0756"
                },
                {
                  "name": "openSUSE-SU-2020:0513",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
                },
                {
                  "name": "openSUSE-SU-2020:0523",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-14856",
        "datePublished": "2019-11-26T13:01:31.000Z",
        "dateReserved": "2019-08-10T00:00:00.000Z",
        "dateUpdated": "2024-08-05T00:26:39.119Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16837 (GCVE-0-2018-16837)

    Vulnerability from nvd – Published: 2018-10-23 15:00 – Updated: 2024-08-05 10:32
    VLAI
    Summary
    Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:3460 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/105700 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2018:3462 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:3505 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2018:3463 vendor-advisoryx_refsource_REDHAT
    https://lists.debian.org/debian-lts-announce/2018… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2018:3461 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2019/dsa-4396 vendor-advisoryx_refsource_DEBIAN
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    Impacted products
    Vendor Product Version
    [UNKNOWN] Ansible Affected: n/a
    Create a notification for this product.
    Date Public
    2018-10-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:32:54.010Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:3460",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3460"
              },
              {
                "name": "105700",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/105700"
              },
              {
                "name": "RHSA-2018:3462",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3462"
              },
              {
                "name": "RHSA-2018:3505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3505"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"
              },
              {
                "name": "RHSA-2018:3463",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3463"
              },
              {
                "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"
              },
              {
                "name": "RHSA-2018:3461",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3461"
              },
              {
                "name": "DSA-4396",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4396"
              },
              {
                "name": "openSUSE-SU-2019:1125",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
              },
              {
                "name": "openSUSE-SU-2019:1635",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              },
              {
                "name": "openSUSE-SU-2019:1858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-10-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-214",
                  "description": "CWE-214",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-14T08:06:03.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:3460",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3460"
            },
            {
              "name": "105700",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/105700"
            },
            {
              "name": "RHSA-2018:3462",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3462"
            },
            {
              "name": "RHSA-2018:3505",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3505"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"
            },
            {
              "name": "RHSA-2018:3463",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3463"
            },
            {
              "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"
            },
            {
              "name": "RHSA-2018:3461",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3461"
            },
            {
              "name": "DSA-4396",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4396"
            },
            {
              "name": "openSUSE-SU-2019:1125",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
            },
            {
              "name": "openSUSE-SU-2019:1635",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            },
            {
              "name": "openSUSE-SU-2019:1858",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-16837",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-214"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:3460",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3460"
                },
                {
                  "name": "105700",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/105700"
                },
                {
                  "name": "RHSA-2018:3462",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3462"
                },
                {
                  "name": "RHSA-2018:3505",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3505"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"
                },
                {
                  "name": "RHSA-2018:3463",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3463"
                },
                {
                  "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"
                },
                {
                  "name": "RHSA-2018:3461",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3461"
                },
                {
                  "name": "DSA-4396",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4396"
                },
                {
                  "name": "openSUSE-SU-2019:1125",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
                },
                {
                  "name": "openSUSE-SU-2019:1635",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                },
                {
                  "name": "openSUSE-SU-2019:1858",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-16837",
        "datePublished": "2018-10-23T15:00:00.000Z",
        "dateReserved": "2018-09-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:32:54.010Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7481 (GCVE-0-2017-7481)

    Vulnerability from nvd – Published: 2018-07-19 13:00 – Updated: 2024-08-05 16:04
    VLAI
    Summary
    Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:1599 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1334 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/98492 vdb-entryx_refsource_BID
    https://github.com/ansible/ansible/commit/ed56f51… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1244 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1499 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2524 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1476 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.debian.org/debian-lts-announce/2021… mailing-listx_refsource_MLIST
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: ansible 2.3.1.0
    Affected: ansible 2.4.0.0
    Create a notification for this product.
    Date Public
    2017-05-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:04:11.540Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:1599",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1599"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481"
              },
              {
                "name": "RHSA-2017:1334",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1334"
              },
              {
                "name": "98492",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/98492"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2"
              },
              {
                "name": "RHSA-2017:1244",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1244"
              },
              {
                "name": "RHSA-2017:1499",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1499"
              },
              {
                "name": "RHSA-2017:2524",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2524"
              },
              {
                "name": "RHSA-2017:1476",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1476"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              },
              {
                "name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "ansible 2.3.1.0"
                },
                {
                  "status": "affected",
                  "version": "ansible 2.4.0.0"
                }
              ]
            }
          ],
          "datePublic": "2017-05-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as \u0027unsafe\u0027 and is not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-27T23:06:14.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2017:1599",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1599"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481"
            },
            {
              "name": "RHSA-2017:1334",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1334"
            },
            {
              "name": "98492",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/98492"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2"
            },
            {
              "name": "RHSA-2017:1244",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1244"
            },
            {
              "name": "RHSA-2017:1499",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1499"
            },
            {
              "name": "RHSA-2017:2524",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2524"
            },
            {
              "name": "RHSA-2017:1476",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1476"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            },
            {
              "name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-7481",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "ansible 2.3.1.0"
                              },
                              {
                                "version_value": "ansible 2.4.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as \u0027unsafe\u0027 and is not evaluated."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.3/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:1599",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1599"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481"
                },
                {
                  "name": "RHSA-2017:1334",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1334"
                },
                {
                  "name": "98492",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/98492"
                },
                {
                  "name": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2"
                },
                {
                  "name": "RHSA-2017:1244",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1244"
                },
                {
                  "name": "RHSA-2017:1499",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1499"
                },
                {
                  "name": "RHSA-2017:2524",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2524"
                },
                {
                  "name": "RHSA-2017:1476",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1476"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                },
                {
                  "name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-7481",
        "datePublished": "2018-07-19T13:00:00.000Z",
        "dateReserved": "2017-04-05T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:04:11.540Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10875 (GCVE-0-2018-10875)

    Vulnerability from nvd – Published: 2018-07-13 22:00 – Updated: 2024-08-05 07:46
    VLAI
    Summary
    A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:2166 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2152 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2150 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1041396 vdb-entryx_refsource_SECTRACK
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHBA-2018:3788 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0054 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2151 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2321 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2585 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2019/dsa-4396 vendor-advisoryx_refsource_DEBIAN
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.debian.org/debian-lts-announce/2019… mailing-listx_refsource_MLIST
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: n/a
    Create a notification for this product.
    Date Public
    2018-06-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:46:47.518Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2166",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2166"
              },
              {
                "name": "RHSA-2018:2152",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2152"
              },
              {
                "name": "RHSA-2018:2150",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2150"
              },
              {
                "name": "1041396",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1041396"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
              },
              {
                "name": "RHBA-2018:3788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHBA-2018:3788"
              },
              {
                "name": "RHSA-2019:0054",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0054"
              },
              {
                "name": "RHSA-2018:2151",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2151"
              },
              {
                "name": "RHSA-2018:2321",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2321"
              },
              {
                "name": "RHSA-2018:2585",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2585"
              },
              {
                "name": "DSA-4396",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4396"
              },
              {
                "name": "openSUSE-SU-2019:1125",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              },
              {
                "name": "[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-06-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-09-16T14:06:20.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:2166",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2166"
            },
            {
              "name": "RHSA-2018:2152",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2152"
            },
            {
              "name": "RHSA-2018:2150",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2150"
            },
            {
              "name": "1041396",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1041396"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
            },
            {
              "name": "RHBA-2018:3788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHBA-2018:3788"
            },
            {
              "name": "RHSA-2019:0054",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0054"
            },
            {
              "name": "RHSA-2018:2151",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2151"
            },
            {
              "name": "RHSA-2018:2321",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2321"
            },
            {
              "name": "RHSA-2018:2585",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2585"
            },
            {
              "name": "DSA-4396",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4396"
            },
            {
              "name": "openSUSE-SU-2019:1125",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            },
            {
              "name": "[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-10875",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-426"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:2166",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2166"
                },
                {
                  "name": "RHSA-2018:2152",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2152"
                },
                {
                  "name": "RHSA-2018:2150",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2150"
                },
                {
                  "name": "1041396",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1041396"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
                },
                {
                  "name": "RHBA-2018:3788",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHBA-2018:3788"
                },
                {
                  "name": "RHSA-2019:0054",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0054"
                },
                {
                  "name": "RHSA-2018:2151",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2151"
                },
                {
                  "name": "RHSA-2018:2321",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2321"
                },
                {
                  "name": "RHSA-2018:2585",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2585"
                },
                {
                  "name": "DSA-4396",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4396"
                },
                {
                  "name": "openSUSE-SU-2019:1125",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                },
                {
                  "name": "[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-10875",
        "datePublished": "2018-07-13T22:00:00.000Z",
        "dateReserved": "2018-05-09T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:46:47.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10855 (GCVE-0-2018-10855)

    Vulnerability from nvd – Published: 2018-07-02 18:00 – Updated: 2024-08-05 07:46
    VLAI
    Summary
    Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:1949 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHBA-2018:3788 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1948 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2184 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2022 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0054 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2079 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2585 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2019/dsa-4396 vendor-advisoryx_refsource_DEBIAN
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: Ansible 2.4.5
    Affected: Ansible 2.5.5
    Create a notification for this product.
    Date Public
    2018-06-11 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:46:47.397Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:1949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1949"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
              },
              {
                "name": "RHBA-2018:3788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHBA-2018:3788"
              },
              {
                "name": "RHSA-2018:1948",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1948"
              },
              {
                "name": "RHSA-2018:2184",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2184"
              },
              {
                "name": "RHSA-2018:2022",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2022"
              },
              {
                "name": "RHSA-2019:0054",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0054"
              },
              {
                "name": "RHSA-2018:2079",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2079"
              },
              {
                "name": "RHSA-2018:2585",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2585"
              },
              {
                "name": "DSA-4396",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4396"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ansible 2.4.5"
                },
                {
                  "status": "affected",
                  "version": "Ansible 2.5.5"
                }
              ]
            }
          ],
          "datePublic": "2018-06-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-25T01:06:04.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:1949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1949"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
            },
            {
              "name": "RHBA-2018:3788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHBA-2018:3788"
            },
            {
              "name": "RHSA-2018:1948",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1948"
            },
            {
              "name": "RHSA-2018:2184",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2184"
            },
            {
              "name": "RHSA-2018:2022",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2022"
            },
            {
              "name": "RHSA-2019:0054",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0054"
            },
            {
              "name": "RHSA-2018:2079",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2079"
            },
            {
              "name": "RHSA-2018:2585",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2585"
            },
            {
              "name": "DSA-4396",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4396"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-10855",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Ansible 2.4.5"
                              },
                              {
                                "version_value": "Ansible 2.5.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-532"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:1949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1949"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
                },
                {
                  "name": "RHBA-2018:3788",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHBA-2018:3788"
                },
                {
                  "name": "RHSA-2018:1948",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1948"
                },
                {
                  "name": "RHSA-2018:2184",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2184"
                },
                {
                  "name": "RHSA-2018:2022",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2022"
                },
                {
                  "name": "RHSA-2019:0054",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0054"
                },
                {
                  "name": "RHSA-2018:2079",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2079"
                },
                {
                  "name": "RHSA-2018:2585",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2585"
                },
                {
                  "name": "DSA-4396",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4396"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-10855",
        "datePublished": "2018-07-02T18:00:00.000Z",
        "dateReserved": "2018-05-09T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:46:47.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10874 (GCVE-0-2018-10874)

    Vulnerability from nvd – Published: 2018-07-02 13:00 – Updated: 2024-08-05 07:46
    VLAI
    Summary
    In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:2166 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2152 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2018:2150 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1041396 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHBA-2018:3788 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0054 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2151 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2321 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2585 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: n/a
    Create a notification for this product.
    Date Public
    2018-06-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:46:47.224Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2166",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2166"
              },
              {
                "name": "RHSA-2018:2152",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2152"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874"
              },
              {
                "name": "RHSA-2018:2150",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2150"
              },
              {
                "name": "1041396",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1041396"
              },
              {
                "name": "RHBA-2018:3788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHBA-2018:3788"
              },
              {
                "name": "RHSA-2019:0054",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0054"
              },
              {
                "name": "RHSA-2018:2151",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2151"
              },
              {
                "name": "RHSA-2018:2321",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2321"
              },
              {
                "name": "RHSA-2018:2585",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2585"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-06-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker\u0027s control, allowing to run arbitrary code as a result."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-25T01:06:05.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:2166",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2166"
            },
            {
              "name": "RHSA-2018:2152",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2152"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874"
            },
            {
              "name": "RHSA-2018:2150",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2150"
            },
            {
              "name": "1041396",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1041396"
            },
            {
              "name": "RHBA-2018:3788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHBA-2018:3788"
            },
            {
              "name": "RHSA-2019:0054",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0054"
            },
            {
              "name": "RHSA-2018:2151",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2151"
            },
            {
              "name": "RHSA-2018:2321",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2321"
            },
            {
              "name": "RHSA-2018:2585",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2585"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-10874",
        "datePublished": "2018-07-02T13:00:00.000Z",
        "dateReserved": "2018-05-09T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:46:47.224Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7466 (GCVE-0-2017-7466)

    Vulnerability from nvd – Published: 2018-06-22 13:00 – Updated: 2024-08-05 16:04
    VLAI
    Summary
    Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:1599 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1334 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/97595 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2017:1685 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1244 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1499 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1476 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: ansible 2.3
    Create a notification for this product.
    Date Public
    2018-06-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:04:11.382Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:1599",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1599"
              },
              {
                "name": "RHSA-2017:1334",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1334"
              },
              {
                "name": "97595",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/97595"
              },
              {
                "name": "RHSA-2017:1685",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1685"
              },
              {
                "name": "RHSA-2017:1244",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1244"
              },
              {
                "name": "RHSA-2017:1499",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1499"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
              },
              {
                "name": "RHSA-2017:1476",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1476"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "ansible 2.3"
                }
              ]
            }
          ],
          "datePublic": "2018-06-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-23T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2017:1599",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1599"
            },
            {
              "name": "RHSA-2017:1334",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1334"
            },
            {
              "name": "97595",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/97595"
            },
            {
              "name": "RHSA-2017:1685",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1685"
            },
            {
              "name": "RHSA-2017:1244",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1244"
            },
            {
              "name": "RHSA-2017:1499",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1499"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
            },
            {
              "name": "RHSA-2017:1476",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1476"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-7466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "ansible 2.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "8.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:1599",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1599"
                },
                {
                  "name": "RHSA-2017:1334",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1334"
                },
                {
                  "name": "97595",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/97595"
                },
                {
                  "name": "RHSA-2017:1685",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1685"
                },
                {
                  "name": "RHSA-2017:1244",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1244"
                },
                {
                  "name": "RHSA-2017:1499",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1499"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
                },
                {
                  "name": "RHSA-2017:1476",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1476"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-7466",
        "datePublished": "2018-06-22T13:00:00.000Z",
        "dateReserved": "2017-04-05T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:04:11.382Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2019-14856 (GCVE-0-2019-14856)

    Vulnerability from cvelistv5 – Published: 2019-11-26 13:01 – Updated: 2024-08-05 00:26
    VLAI
    Summary
    ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: 2.8.6
    Affected: 2.7.14
    Affected: 2.6.20
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T00:26:39.119Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2020:0756",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2020:0756"
              },
              {
                "name": "openSUSE-SU-2020:0513",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
              },
              {
                "name": "openSUSE-SU-2020:0523",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.8.6"
                },
                {
                  "status": "affected",
                  "version": "2.7.14"
                },
                {
                  "status": "affected",
                  "version": "2.6.20"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None"
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "CWE-287",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2020-12-04T18:00:58.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2020:0756",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2020:0756"
            },
            {
              "name": "openSUSE-SU-2020:0513",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
            },
            {
              "name": "openSUSE-SU-2020:0523",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2019-14856",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "2.8.6"
                              },
                              {
                                "version_value": "2.7.14"
                              },
                              {
                                "version_value": "2.6.20"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None"
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "6.4/CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-287"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2020:0756",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2020:0756"
                },
                {
                  "name": "openSUSE-SU-2020:0513",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"
                },
                {
                  "name": "openSUSE-SU-2020:0523",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2019-14856",
        "datePublished": "2019-11-26T13:01:31.000Z",
        "dateReserved": "2019-08-10T00:00:00.000Z",
        "dateUpdated": "2024-08-05T00:26:39.119Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-16837 (GCVE-0-2018-16837)

    Vulnerability from cvelistv5 – Published: 2018-10-23 15:00 – Updated: 2024-08-05 10:32
    VLAI
    Summary
    Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:3460 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/105700 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2018:3462 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:3505 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2018:3463 vendor-advisoryx_refsource_REDHAT
    https://lists.debian.org/debian-lts-announce/2018… mailing-listx_refsource_MLIST
    https://access.redhat.com/errata/RHSA-2018:3461 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2019/dsa-4396 vendor-advisoryx_refsource_DEBIAN
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    Impacted products
    Vendor Product Version
    [UNKNOWN] Ansible Affected: n/a
    Create a notification for this product.
    Date Public
    2018-10-23 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T10:32:54.010Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:3460",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3460"
              },
              {
                "name": "105700",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/105700"
              },
              {
                "name": "RHSA-2018:3462",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3462"
              },
              {
                "name": "RHSA-2018:3505",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3505"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"
              },
              {
                "name": "RHSA-2018:3463",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3463"
              },
              {
                "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"
              },
              {
                "name": "RHSA-2018:3461",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:3461"
              },
              {
                "name": "DSA-4396",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4396"
              },
              {
                "name": "openSUSE-SU-2019:1125",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
              },
              {
                "name": "openSUSE-SU-2019:1635",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              },
              {
                "name": "openSUSE-SU-2019:1858",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-10-23T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-214",
                  "description": "CWE-214",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-08-14T08:06:03.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:3460",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3460"
            },
            {
              "name": "105700",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/105700"
            },
            {
              "name": "RHSA-2018:3462",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3462"
            },
            {
              "name": "RHSA-2018:3505",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3505"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"
            },
            {
              "name": "RHSA-2018:3463",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3463"
            },
            {
              "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"
            },
            {
              "name": "RHSA-2018:3461",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:3461"
            },
            {
              "name": "DSA-4396",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4396"
            },
            {
              "name": "openSUSE-SU-2019:1125",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
            },
            {
              "name": "openSUSE-SU-2019:1635",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            },
            {
              "name": "openSUSE-SU-2019:1858",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-16837",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible \"User\" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.8/CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-214"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:3460",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3460"
                },
                {
                  "name": "105700",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/105700"
                },
                {
                  "name": "RHSA-2018:3462",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3462"
                },
                {
                  "name": "RHSA-2018:3505",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3505"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837"
                },
                {
                  "name": "RHSA-2018:3463",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3463"
                },
                {
                  "name": "[debian-lts-announce] 20181112 [SECURITY] [DLA 1576-1] ansible security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2018/11/msg00012.html"
                },
                {
                  "name": "RHSA-2018:3461",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:3461"
                },
                {
                  "name": "DSA-4396",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4396"
                },
                {
                  "name": "openSUSE-SU-2019:1125",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
                },
                {
                  "name": "openSUSE-SU-2019:1635",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                },
                {
                  "name": "openSUSE-SU-2019:1858",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-16837",
        "datePublished": "2018-10-23T15:00:00.000Z",
        "dateReserved": "2018-09-11T00:00:00.000Z",
        "dateUpdated": "2024-08-05T10:32:54.010Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7481 (GCVE-0-2017-7481)

    Vulnerability from cvelistv5 – Published: 2018-07-19 13:00 – Updated: 2024-08-05 16:04
    VLAI
    Summary
    Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:1599 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1334 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/98492 vdb-entryx_refsource_BID
    https://github.com/ansible/ansible/commit/ed56f51… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1244 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1499 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:2524 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1476 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.debian.org/debian-lts-announce/2021… mailing-listx_refsource_MLIST
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: ansible 2.3.1.0
    Affected: ansible 2.4.0.0
    Create a notification for this product.
    Date Public
    2017-05-09 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:04:11.540Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:1599",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1599"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481"
              },
              {
                "name": "RHSA-2017:1334",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1334"
              },
              {
                "name": "98492",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/98492"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2"
              },
              {
                "name": "RHSA-2017:1244",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1244"
              },
              {
                "name": "RHSA-2017:1499",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1499"
              },
              {
                "name": "RHSA-2017:2524",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:2524"
              },
              {
                "name": "RHSA-2017:1476",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1476"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              },
              {
                "name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "ansible 2.3.1.0"
                },
                {
                  "status": "affected",
                  "version": "ansible 2.4.0.0"
                }
              ]
            }
          ],
          "datePublic": "2017-05-09T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as \u0027unsafe\u0027 and is not evaluated."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "HIGH",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-01-27T23:06:14.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2017:1599",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1599"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481"
            },
            {
              "name": "RHSA-2017:1334",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1334"
            },
            {
              "name": "98492",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/98492"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2"
            },
            {
              "name": "RHSA-2017:1244",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1244"
            },
            {
              "name": "RHSA-2017:1499",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1499"
            },
            {
              "name": "RHSA-2017:2524",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:2524"
            },
            {
              "name": "RHSA-2017:1476",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1476"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            },
            {
              "name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-7481",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "ansible 2.3.1.0"
                              },
                              {
                                "version_value": "ansible 2.4.0.0"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as \u0027unsafe\u0027 and is not evaluated."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.3/CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:1599",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1599"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481"
                },
                {
                  "name": "RHSA-2017:1334",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1334"
                },
                {
                  "name": "98492",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/98492"
                },
                {
                  "name": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2",
                  "refsource": "CONFIRM",
                  "url": "https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2"
                },
                {
                  "name": "RHSA-2017:1244",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1244"
                },
                {
                  "name": "RHSA-2017:1499",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1499"
                },
                {
                  "name": "RHSA-2017:2524",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:2524"
                },
                {
                  "name": "RHSA-2017:1476",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1476"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                },
                {
                  "name": "[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-7481",
        "datePublished": "2018-07-19T13:00:00.000Z",
        "dateReserved": "2017-04-05T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:04:11.540Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10875 (GCVE-0-2018-10875)

    Vulnerability from cvelistv5 – Published: 2018-07-13 22:00 – Updated: 2024-08-05 07:46
    VLAI
    Summary
    A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:2166 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2152 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2150 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1041396 vdb-entryx_refsource_SECTRACK
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHBA-2018:3788 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0054 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2151 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2321 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2585 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2019/dsa-4396 vendor-advisoryx_refsource_DEBIAN
    http://lists.opensuse.org/opensuse-security-annou… vendor-advisoryx_refsource_SUSE
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    https://lists.debian.org/debian-lts-announce/2019… mailing-listx_refsource_MLIST
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: n/a
    Create a notification for this product.
    Date Public
    2018-06-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:46:47.518Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2166",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2166"
              },
              {
                "name": "RHSA-2018:2152",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2152"
              },
              {
                "name": "RHSA-2018:2150",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2150"
              },
              {
                "name": "1041396",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1041396"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
              },
              {
                "name": "RHBA-2018:3788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHBA-2018:3788"
              },
              {
                "name": "RHSA-2019:0054",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0054"
              },
              {
                "name": "RHSA-2018:2151",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2151"
              },
              {
                "name": "RHSA-2018:2321",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2321"
              },
              {
                "name": "RHSA-2018:2585",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2585"
              },
              {
                "name": "DSA-4396",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4396"
              },
              {
                "name": "openSUSE-SU-2019:1125",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_SUSE",
                  "x_transferred"
                ],
                "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              },
              {
                "name": "[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update",
                "tags": [
                  "mailing-list",
                  "x_refsource_MLIST",
                  "x_transferred"
                ],
                "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-06-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-09-16T14:06:20.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:2166",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2166"
            },
            {
              "name": "RHSA-2018:2152",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2152"
            },
            {
              "name": "RHSA-2018:2150",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2150"
            },
            {
              "name": "1041396",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1041396"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
            },
            {
              "name": "RHBA-2018:3788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHBA-2018:3788"
            },
            {
              "name": "RHSA-2019:0054",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0054"
            },
            {
              "name": "RHSA-2018:2151",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2151"
            },
            {
              "name": "RHSA-2018:2321",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2321"
            },
            {
              "name": "RHSA-2018:2585",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2585"
            },
            {
              "name": "DSA-4396",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4396"
            },
            {
              "name": "openSUSE-SU-2019:1125",
              "tags": [
                "vendor-advisory",
                "x_refsource_SUSE"
              ],
              "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            },
            {
              "name": "[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update",
              "tags": [
                "mailing-list",
                "x_refsource_MLIST"
              ],
              "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-10875",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "n/a"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-426"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:2166",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2166"
                },
                {
                  "name": "RHSA-2018:2152",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2152"
                },
                {
                  "name": "RHSA-2018:2150",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2150"
                },
                {
                  "name": "1041396",
                  "refsource": "SECTRACK",
                  "url": "http://www.securitytracker.com/id/1041396"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"
                },
                {
                  "name": "RHBA-2018:3788",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHBA-2018:3788"
                },
                {
                  "name": "RHSA-2019:0054",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0054"
                },
                {
                  "name": "RHSA-2018:2151",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2151"
                },
                {
                  "name": "RHSA-2018:2321",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2321"
                },
                {
                  "name": "RHSA-2018:2585",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2585"
                },
                {
                  "name": "DSA-4396",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4396"
                },
                {
                  "name": "openSUSE-SU-2019:1125",
                  "refsource": "SUSE",
                  "url": "http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                },
                {
                  "name": "[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update",
                  "refsource": "MLIST",
                  "url": "https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-10875",
        "datePublished": "2018-07-13T22:00:00.000Z",
        "dateReserved": "2018-05-09T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:46:47.518Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10855 (GCVE-0-2018-10855)

    Vulnerability from cvelistv5 – Published: 2018-07-02 18:00 – Updated: 2024-08-05 07:46
    VLAI
    Summary
    Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:1949 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHBA-2018:3788 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:1948 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2184 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2022 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0054 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2079 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2585 vendor-advisoryx_refsource_REDHAT
    https://www.debian.org/security/2019/dsa-4396 vendor-advisoryx_refsource_DEBIAN
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: Ansible 2.4.5
    Affected: Ansible 2.5.5
    Create a notification for this product.
    Date Public
    2018-06-11 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:46:47.397Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:1949",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1949"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
              },
              {
                "name": "RHBA-2018:3788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHBA-2018:3788"
              },
              {
                "name": "RHSA-2018:1948",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:1948"
              },
              {
                "name": "RHSA-2018:2184",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2184"
              },
              {
                "name": "RHSA-2018:2022",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2022"
              },
              {
                "name": "RHSA-2019:0054",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0054"
              },
              {
                "name": "RHSA-2018:2079",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2079"
              },
              {
                "name": "RHSA-2018:2585",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2585"
              },
              {
                "name": "DSA-4396",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_DEBIAN",
                  "x_transferred"
                ],
                "url": "https://www.debian.org/security/2019/dsa-4396"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "Ansible 2.4.5"
                },
                {
                  "status": "affected",
                  "version": "Ansible 2.5.5"
                }
              ]
            }
          ],
          "datePublic": "2018-06-11T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "NONE",
                "baseScore": 5.9,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "NONE",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-25T01:06:04.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:1949",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1949"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
            },
            {
              "name": "RHBA-2018:3788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHBA-2018:3788"
            },
            {
              "name": "RHSA-2018:1948",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:1948"
            },
            {
              "name": "RHSA-2018:2184",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2184"
            },
            {
              "name": "RHSA-2018:2022",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2022"
            },
            {
              "name": "RHSA-2019:0054",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0054"
            },
            {
              "name": "RHSA-2018:2079",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2079"
            },
            {
              "name": "RHSA-2018:2585",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2585"
            },
            {
              "name": "DSA-4396",
              "tags": [
                "vendor-advisory",
                "x_refsource_DEBIAN"
              ],
              "url": "https://www.debian.org/security/2019/dsa-4396"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2018-10855",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "Ansible 2.4.5"
                              },
                              {
                                "version_value": "Ansible 2.5.5"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "5.9/CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-532"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2018:1949",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1949"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855"
                },
                {
                  "name": "RHBA-2018:3788",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHBA-2018:3788"
                },
                {
                  "name": "RHSA-2018:1948",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:1948"
                },
                {
                  "name": "RHSA-2018:2184",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2184"
                },
                {
                  "name": "RHSA-2018:2022",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2022"
                },
                {
                  "name": "RHSA-2019:0054",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2019:0054"
                },
                {
                  "name": "RHSA-2018:2079",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2079"
                },
                {
                  "name": "RHSA-2018:2585",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2018:2585"
                },
                {
                  "name": "DSA-4396",
                  "refsource": "DEBIAN",
                  "url": "https://www.debian.org/security/2019/dsa-4396"
                },
                {
                  "name": "USN-4072-1",
                  "refsource": "UBUNTU",
                  "url": "https://usn.ubuntu.com/4072-1/"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-10855",
        "datePublished": "2018-07-02T18:00:00.000Z",
        "dateReserved": "2018-05-09T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:46:47.397Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2018-10874 (GCVE-0-2018-10874)

    Vulnerability from cvelistv5 – Published: 2018-07-02 13:00 – Updated: 2024-08-05 07:46
    VLAI
    Summary
    In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2018:2166 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2152 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2018:2150 vendor-advisoryx_refsource_REDHAT
    http://www.securitytracker.com/id/1041396 vdb-entryx_refsource_SECTRACK
    https://access.redhat.com/errata/RHBA-2018:3788 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2019:0054 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2151 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2321 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2018:2585 vendor-advisoryx_refsource_REDHAT
    https://usn.ubuntu.com/4072-1/ vendor-advisoryx_refsource_UBUNTU
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: n/a
    Create a notification for this product.
    Date Public
    2018-06-29 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T07:46:47.224Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2018:2166",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2166"
              },
              {
                "name": "RHSA-2018:2152",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2152"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874"
              },
              {
                "name": "RHSA-2018:2150",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2150"
              },
              {
                "name": "1041396",
                "tags": [
                  "vdb-entry",
                  "x_refsource_SECTRACK",
                  "x_transferred"
                ],
                "url": "http://www.securitytracker.com/id/1041396"
              },
              {
                "name": "RHBA-2018:3788",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHBA-2018:3788"
              },
              {
                "name": "RHSA-2019:0054",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2019:0054"
              },
              {
                "name": "RHSA-2018:2151",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2151"
              },
              {
                "name": "RHSA-2018:2321",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2321"
              },
              {
                "name": "RHSA-2018:2585",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2018:2585"
              },
              {
                "name": "USN-4072-1",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_UBUNTU",
                  "x_transferred"
                ],
                "url": "https://usn.ubuntu.com/4072-1/"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "n/a"
                }
              ]
            }
          ],
          "datePublic": "2018-06-29T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker\u0027s control, allowing to run arbitrary code as a result."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "LOCAL",
                "availabilityImpact": "HIGH",
                "baseScore": 7.8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-426",
                  "description": "CWE-426",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2019-07-25T01:06:05.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2018:2166",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2166"
            },
            {
              "name": "RHSA-2018:2152",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2152"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874"
            },
            {
              "name": "RHSA-2018:2150",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2150"
            },
            {
              "name": "1041396",
              "tags": [
                "vdb-entry",
                "x_refsource_SECTRACK"
              ],
              "url": "http://www.securitytracker.com/id/1041396"
            },
            {
              "name": "RHBA-2018:3788",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHBA-2018:3788"
            },
            {
              "name": "RHSA-2019:0054",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2019:0054"
            },
            {
              "name": "RHSA-2018:2151",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2151"
            },
            {
              "name": "RHSA-2018:2321",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2321"
            },
            {
              "name": "RHSA-2018:2585",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2018:2585"
            },
            {
              "name": "USN-4072-1",
              "tags": [
                "vendor-advisory",
                "x_refsource_UBUNTU"
              ],
              "url": "https://usn.ubuntu.com/4072-1/"
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2018-10874",
        "datePublished": "2018-07-02T13:00:00.000Z",
        "dateReserved": "2018-05-09T00:00:00.000Z",
        "dateUpdated": "2024-08-05T07:46:47.224Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2017-7466 (GCVE-0-2017-7466)

    Vulnerability from cvelistv5 – Published: 2018-06-22 13:00 – Updated: 2024-08-05 16:04
    VLAI
    Summary
    Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
    CWE
    Assigner
    References
    URL Tags
    https://access.redhat.com/errata/RHSA-2017:1599 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1334 vendor-advisoryx_refsource_REDHAT
    http://www.securityfocus.com/bid/97595 vdb-entryx_refsource_BID
    https://access.redhat.com/errata/RHSA-2017:1685 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1244 vendor-advisoryx_refsource_REDHAT
    https://access.redhat.com/errata/RHSA-2017:1499 vendor-advisoryx_refsource_REDHAT
    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2… x_refsource_CONFIRM
    https://access.redhat.com/errata/RHSA-2017:1476 vendor-advisoryx_refsource_REDHAT
    Impacted products
    Vendor Product Version
    [UNKNOWN] ansible Affected: ansible 2.3
    Create a notification for this product.
    Date Public
    2018-06-22 00:00
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-05T16:04:11.382Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "name": "RHSA-2017:1599",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1599"
              },
              {
                "name": "RHSA-2017:1334",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1334"
              },
              {
                "name": "97595",
                "tags": [
                  "vdb-entry",
                  "x_refsource_BID",
                  "x_transferred"
                ],
                "url": "http://www.securityfocus.com/bid/97595"
              },
              {
                "name": "RHSA-2017:1685",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1685"
              },
              {
                "name": "RHSA-2017:1244",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1244"
              },
              {
                "name": "RHSA-2017:1499",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1499"
              },
              {
                "tags": [
                  "x_refsource_CONFIRM",
                  "x_transferred"
                ],
                "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
              },
              {
                "name": "RHSA-2017:1476",
                "tags": [
                  "vendor-advisory",
                  "x_refsource_REDHAT",
                  "x_transferred"
                ],
                "url": "https://access.redhat.com/errata/RHSA-2017:1476"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "ansible",
              "vendor": "[UNKNOWN]",
              "versions": [
                {
                  "status": "affected",
                  "version": "ansible 2.3"
                }
              ]
            }
          ],
          "datePublic": "2018-06-22T00:00:00.000Z",
          "descriptions": [
            {
              "lang": "en",
              "value": "Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges."
            }
          ],
          "metrics": [
            {
              "cvssV3_0": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "HIGH",
                "baseScore": 8,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                "version": "3.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "CWE-20",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2018-06-23T09:57:01.000Z",
            "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
            "shortName": "redhat"
          },
          "references": [
            {
              "name": "RHSA-2017:1599",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1599"
            },
            {
              "name": "RHSA-2017:1334",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1334"
            },
            {
              "name": "97595",
              "tags": [
                "vdb-entry",
                "x_refsource_BID"
              ],
              "url": "http://www.securityfocus.com/bid/97595"
            },
            {
              "name": "RHSA-2017:1685",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1685"
            },
            {
              "name": "RHSA-2017:1244",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1244"
            },
            {
              "name": "RHSA-2017:1499",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1499"
            },
            {
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
            },
            {
              "name": "RHSA-2017:1476",
              "tags": [
                "vendor-advisory",
                "x_refsource_REDHAT"
              ],
              "url": "https://access.redhat.com/errata/RHSA-2017:1476"
            }
          ],
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "secalert@redhat.com",
              "ID": "CVE-2017-7466",
              "STATE": "PUBLIC"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "ansible",
                          "version": {
                            "version_data": [
                              {
                                "version_value": "ansible 2.3"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "[UNKNOWN]"
                  }
                ]
              }
            },
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges."
                }
              ]
            },
            "impact": {
              "cvss": [
                [
                  {
                    "vectorString": "8.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
                    "version": "3.0"
                  }
                ]
              ]
            },
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-20"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "RHSA-2017:1599",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1599"
                },
                {
                  "name": "RHSA-2017:1334",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1334"
                },
                {
                  "name": "97595",
                  "refsource": "BID",
                  "url": "http://www.securityfocus.com/bid/97595"
                },
                {
                  "name": "RHSA-2017:1685",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1685"
                },
                {
                  "name": "RHSA-2017:1244",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1244"
                },
                {
                  "name": "RHSA-2017:1499",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1499"
                },
                {
                  "name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466",
                  "refsource": "CONFIRM",
                  "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
                },
                {
                  "name": "RHSA-2017:1476",
                  "refsource": "REDHAT",
                  "url": "https://access.redhat.com/errata/RHSA-2017:1476"
                }
              ]
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "assignerShortName": "redhat",
        "cveId": "CVE-2017-7466",
        "datePublished": "2018-06-22T13:00:00.000Z",
        "dateReserved": "2017-04-05T00:00:00.000Z",
        "dateUpdated": "2024-08-05T16:04:11.382Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }