CVE-2019-10156 — Sensitive Information Exposure in Redhat Ansible

CWE-200 — Sensitive Information Exposure12 documents8 sources

Severity

5.4MEDIUMNVD

OSV9.8

EPSS

0.5%

top 34.02%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible RED HAT Ansible Debian Linux +1 more

Timeline

PublishedJul 30

Latest updateJul 31

Description

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 2.8 | Impact: 2.5

Affected Packages6 packages

▶NVDredhat/ansible2.7.0 — 2.7.12+2

▶PyPIredhat/ansible2.7.0a1 — 2.7.12+2

▶Debianredhat/ansible< 2.8.3+dfsg-1+3

▶Ubunturedhat/ansible< 2.0.0.2-2ubuntu1.3+1

▶CVEListV5red_hat/ansiblefixed in 2.6.18, fixed in 2.7.12, fixed in 2.8.2+2

Also affects: Debian Linux 8.0, 9.0

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

Exposure of Sensitive Information to an Unauthorized Actor in ansible↗2019-07-31

▶

OSV

Exposure of Sensitive Information to an Unauthorized Actor in ansible↗2019-07-31

▶

CVEList

CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2↗2019-07-30

▶

OSV

CVE-2019-10156: A flaw was discovered in the way Ansible templating was implemented in versions before 2↗2019-07-30

▶

OSV

ansible vulnerabilities↗2019-07-24

▶

📋Vendor Advisories

Ubuntu

Ansible vulnerabilities↗2019-07-24

▶

Red Hat

ansible: unsafe template evaluation of returned module data can lead to information disclosure↗2019-06-04

▶

Debian

CVE-2019-10156: ansible - A flaw was discovered in the way Ansible templating was implemented in versions ...↗2019

▶

💬Community

Bugzilla

CVE-2019-10156 ansible: unsafe template evaluation of returned module data can lead to information disclosure [epel-all]↗2019-06-05

▶

Bugzilla

CVE-2019-10156 ansible: unsafe template evaluation of returned module data can lead to information disclosure [fedora-all]↗2019-06-05

▶

Bugzilla

CVE-2019-10156 ansible: unsafe template evaluation of returned module data can lead to information disclosure↗2019-06-05

▶