CVE-2018-10874
published 2018-07-02CVE-2018-10874: In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control…
high7.8CVSS 3.0
AVLACLPRLUINSUCHIHAH
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
Affected
19 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ansible | < ansible 2.6.1+dfsg-1 (bookworm) | ansible 2.6.1+dfsg-1 (bookworm) |
| redhat | ansible | >= 0 < 2.6.1+dfsg-1 | 2.6.1+dfsg-1 |
| redhat | ansible | >= 0 < 2.6.1+dfsg-1 | 2.6.1+dfsg-1 |
| redhat | ansible | >= 0 < 2.6.1+dfsg-1 | 2.6.1+dfsg-1 |
| redhat | ansible | >= 0 < 2.6.1+dfsg-1 | 2.6.1+dfsg-1 |
| redhat | ansible | >= 0 < 2.4.6.0 | 2.4.6.0 |
| redhat | ansible | >= 0 < 2.0.0.2-2ubuntu1.3 | 2.0.0.2-2ubuntu1.3 |
| redhat | ansible | >= 0 < 2.5.1+dfsg-1ubuntu0.1 | 2.5.1+dfsg-1ubuntu0.1 |
| redhat | ansible | >= 2.5 < 2.5.6 | 2.5.6 |
| redhat | ansible | >= 2.6 < 2.6.1 | 2.6.1 |
| redhat | ansible_engine | — | — |
| redhat | ansible_engine | — | — |
| redhat | ansible_engine | — | — |
| redhat | ansible_engine | — | — |
| redhat | openstack | — | — |
| redhat | openstack | — | — |
| redhat | openstack | — | — |
| redhat | virtualization | — | — |
| redhat | virtualization_host | — | — |
CVSS provenance
nvdv3.07.8HIGHCVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL