#VU30975 Information disclosure in Ansible


Published: 2019-07-31 | Updated: 2020-07-17

Vulnerability identifier: #VU30975

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-10156

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ansible: 2.8.0 - 2.8.1

External links
http://access.redhat.com/errata/RHSA-2019:3744
http://access.redhat.com/errata/RHSA-2019:3789
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
http://github.com/ansible/ansible/pull/57188
http://lists.debian.org/debian-lts-announce/2019/09/msg00016.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


openEuler update for ansible
Debian update for ansible
Red Hat OpenStack Platform 13 update for ansible
Red Hat OpenStack Platform 14 update for ansible
Information disclosure in ansible (Alpine package)
Information disclosure in Ansible
Ansible Engine 2.8 update for ansible
Ansible Engine 2.6 update for ansible
Ansible Engine 2.8 update for ansible
Ansible Engine 2.7 update for ansible