Main Vulnerability Database Vulnerabilities #VU30975

#VU30975 Information disclosure in Ansible - CVE-2019-10156

Published: July 31, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30975

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10156

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ansible

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote authenticated user to read and manipulate data.

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

Remediation

Install update from vendor's website.

External links

https://access.redhat.com/errata/RHSA-2019:3744
https://access.redhat.com/errata/RHSA-2019:3789
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
https://github.com/ansible/ansible/pull/57188
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html

#VU30975 Information disclosure in Ansible - CVE-2019-10156

Description

Remediation

External links

Please verify you're human