—

PYSEC-2019-5

Details

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 2.5.0 Fixed in: 2.5.15

Fix pip install --upgrade 'ansible>=2.5.15'

References

https://github.com/ansible/ansible/pull/52133 [WEB]
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828 [REPORT]
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html [WEB]
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html [WEB]
https://usn.ubuntu.com/4072-1/ [WEB]
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html [WEB]
https://access.redhat.com/errata/RHSA-2019:3744 [ADVISORY]
https://access.redhat.com/errata/RHSA-2019:3789 [ADVISORY]
https://github.com/advisories/GHSA-74vq-h4q8-x6jv [ADVISORY]