CVE-2018-10874 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2018-10874

CVE-2018-10874

July 02, 2018

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

Affected Packages

ansible (PYTHON):

Affected version(s) =2.6.0 <2.6.1

Fix Suggestion:

Update to version 2.6.1

ansible (PYTHON):

Affected version(s) >=2.5.0 <2.5.6

Fix Suggestion:

Update to version 2.5.6

ansible (PYTHON):

Affected version(s) >=1.0 <2.4.6.0

Fix Suggestion:

Update to version 2.4.6.0

Related Resources (22)

https://bugzilla.redhat.com/show_bug.cgi?id=1596528

https://access.redhat.com/errata/RHSA-2018:2321

https://usn.ubuntu.com/4072-1

https://access.redhat.com/errata/RHSA-2018:2151

http://www.securitytracker.com/id/1041396

https://access.redhat.com/security/cve/CVE-2018-10874

https://web.archive.org/web/20201130165946/http://www.securitytracker.com/id/1041396

https://github.com/ansible/ansible/commit/10d6fe6c98cfee9a7be0fea6102ba5dec951aec7

https://access.redhat.com/errata/RHSA-2019:0054

https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-81.yaml

https://access.redhat.com/errata/RHSA-2018:2585

https://github.com/ansible/ansible

https://access.redhat.com/errata/RHBA-2018:3788

https://access.redhat.com/errata/RHSA-2018:2166

https://github.com/ansible/ansible/commit/44874addc7ea136f83c67d5869047ece02645fdb

https://access.redhat.com/errata/RHSA-2018:2150

https://github.com/ansible/ansible/pull/42067

https://usn.ubuntu.com/4072-1/

https://github.com/ansible/ansible/commit/1f80949f964a946773f9d3ac1899535bd2cc2b8e

https://access.redhat.com/errata/RHSA-2018:2152

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874

https://nvd.nist.gov/vuln/detail/CVE-2018-10874

Do you need more information?

CVSS v4

Base Score:

8.5

Attack Vector

LOCAL

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

LOW

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

HIGH

Vulnerable System Availability

HIGH

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

CVSS v2

Base Score:

4.6

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

Weakness Type (CWE)

Untrusted Search Path

CWE-426

Improper Input Validation

CWE-20

EPSS

Base Score:

0.05

Products

Solutions

Resources

Company

Compare

Developer Tools