Main Vulnerability Database Vulnerabilities #VU30975

Information disclosure in Ansible - CVE-2019-10156

Published: July 31, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30975

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10156

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a remote authenticated user to read and manipulate data.

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

How to mitigate CVE-2019-10156

Install update from vendor's website.

Sources

https://access.redhat.com/errata/RHSA-2019:3744
https://access.redhat.com/errata/RHSA-2019:3789
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
https://github.com/ansible/ansible/pull/57188
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html

Information disclosure in Ansible - CVE-2019-10156

Detailed vulnerability description

How to mitigate CVE-2019-10156

Sources

Please verify you're human