Vulnerability identifier: #VU30975
Vulnerability risk: Medium
CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-200
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Ansible
Server applications /
Remote management servers, RDP, SSH
Vendor: Red Hat Inc.
Description
The vulnerability allows a remote authenticated user to read and manipulate data.
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Ansible: 2.8.0 - 2.8.1
External links
http://access.redhat.com/errata/RHSA-2019:3744
http://access.redhat.com/errata/RHSA-2019:3789
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
http://github.com/ansible/ansible/pull/57188
http://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.