—

PYSEC-2018-43

Details

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 2.5 Fixed in: 2.5.6

Fix pip install --upgrade 'ansible>=2.5.6'

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875 [REPORT]
https://access.redhat.com/errata/RHSA-2018:2166 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:2152 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:2151 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:2150 [ADVISORY]
https://access.redhat.com/errata/RHSA-2018:2321 [ADVISORY]
http://www.securitytracker.com/id/1041396 [WEB]
https://access.redhat.com/errata/RHSA-2018:2585 [ADVISORY]
https://access.redhat.com/errata/RHBA-2018:3788 [ADVISORY]
https://access.redhat.com/errata/RHSA-2019:0054 [ADVISORY]
https://www.debian.org/security/2019/dsa-4396 [ADVISORY]
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html [WEB]
https://usn.ubuntu.com/4072-1/ [WEB]
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html [WEB]