CVE-2019-3828 — Path Traversal in Redhat Ansible

CWE-22 — Path Traversal13 documents8 sources

Severity

4.2MEDIUMNVD

EPSS

0.0%

top 91.63%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible RED HAT Ansible

Timeline

PublishedMar 27

Latest updateFeb 12

Description

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:NExploitability: 1.1 | Impact: 2.7

Affected Packages4 packages

▶NVDredhat/ansible2.5.0 — 2.5.15+2

▶PyPIredhat/ansible2.6.0a1 — 2.6.14+2

▶Debianredhat/ansible< 2.7.7+dfsg-1+3

▶CVEListV5red_hat/ansible2.5.15, 2.6.14, 2.7.8+2

Patches

Patch: bugzilla.redhat.com ↗Patch: github.com ↗Patch: bugzilla.redhat.com ↗

🔴Vulnerability Details

OSV

ansible vulnerabilities↗2019-07-24

▶

OSV

Ansible Path Traversal vulnerability↗2019-04-15

▶

GHSA

Ansible Path Traversal vulnerability↗2019-04-15

▶

OSV

CVE-2019-3828: Ansible fetch module before versions 2↗2019-03-27

▶

CVEList

CVE-2019-3828: Ansible fetch module before versions 2↗2019-03-27

▶

📋Vendor Advisories

Ubuntu

Ansible vulnerabilities↗2019-07-24

▶

Red Hat

Ansible: path traversal in the fetch module↗2019-02-12

▶

Debian

CVE-2019-3828: ansible - Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal ...↗2019

▶

💬Community

Bugzilla

CVE-2020-1735 ansible: path injection on dest parameter in fetch module↗2020-02-12

▶

Bugzilla

CVE-2019-3828 ansible: path traversal in the fetch module [epel-all]↗2019-02-15

▶

Bugzilla

CVE-2019-3828 ansible: path traversal in the fetch module [fedora-all]↗2019-02-15

▶

Bugzilla

CVE-2019-3828 Ansible: path traversal in the fetch module↗2019-02-12

▶