CVE-2019-10156
4.6
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
Summary
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Red Hat | ansible | fixed in 2.6.18 | affected |
| Red Hat | ansible | fixed in 2.7.12 | affected |
| Red Hat | ansible | fixed in 2.8.2 | affected |
Weaknesses
- CWE-200: CWE-200
ADP Enrichment
CVE Program Container
Additional References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
- https://github.com/ansible/ansible/pull/57188
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- https://access.redhat.com/errata/RHSA-2019:3744
- https://access.redhat.com/errata/RHSA-2019:3789
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://www.debian.org/security/2021/dsa-4950
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
- https://github.com/ansible/ansible/pull/57188
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- https://access.redhat.com/errata/RHSA-2019:3744
- https://access.redhat.com/errata/RHSA-2019:3789
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://www.debian.org/security/2021/dsa-4950
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.