Input validation error in ansible (Alpine package)
| Risk | Medium |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2019-10206 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software Subscribe |
ansible (Alpine package) Operating systems & Components / Operating system package or component |
| Vendor | Alpine Linux Development Team |
Security Bulletin
This security bulletin contains one medium risk vulnerability.
1) Input validation error
EUVDB-ID: #VU30585
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID: CVE-2019-10206
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote authenticated user to gain access to sensitive information.
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
MitigationInstall update from vendor's website.
Vulnerable software versionsansible (Alpine package): 2.4.6.0-r0
External linkshttp://git.alpinelinux.org/aports/commit/?id=c2ee36626b02eea017fc2f4b14191904f952bc5d
http://git.alpinelinux.org/aports/commit/?id=b60d8b5c9d3dc25f386bae243a6153b3d4909567
http://git.alpinelinux.org/aports/commit/?id=6b30494af214be58009a464982e5f9bd4927e635
http://git.alpinelinux.org/aports/commit/?id=0a567245f3079886830dc952c86c95d8f6b1c9de
http://git.alpinelinux.org/aports/commit/?id=182478667066cdb118bb935c36c2ec0b92b0c70f
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
