Vulnerability DatabaseCVE-2018-10875
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2018-10875
July 13, 2018
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
Affected Packages
ansible (PYTHON):
Affected version(s) >=2.6.0a1 <2.6.1
Fix Suggestion:
Update to version 2.6.1
ansible (PYTHON):
Affected version(s) >=2.5.0a1 <2.5.6
Fix Suggestion:
Update to version 2.5.6
ansible (PYTHON):
Affected version(s) >=1.0 <2.4.6.0
Fix Suggestion:
Update to version 2.4.6.0
Related ResourcesĀ (25)
https://access.redhat.com/errata/RHSA-2018:2152
https://github.com/ansible/ansible/commit/f32c42c37aaf7b9db93ea3151b2f42a0c4bd8172
https://access.redhat.com/errata/RHSA-2018:2585
https://github.com/ansible/ansible/pull/42070
https://access.redhat.com/errata/RHSA-2019:0054
https://nvd.nist.gov/vuln/detail/CVE-2018-10875
https://usn.ubuntu.com/4072-1
https://usn.ubuntu.com/4072-1/
https://github.com/ansible/ansible/commit/4cecbe81adbc655d7ab734165d3ac539f8ba5981
https://access.redhat.com/errata/RHSA-2018:2321
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
https://github.com/ansible/ansible/commit/ff980afefdbe4ceb828bdb1bb2eef03cf616bf63
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-43.yaml
https://github.com/ansible/ansible/pull/43583
http://www.securitytracker.com/id/1041396
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875
https://access.redhat.com/errata/RHBA-2018:3788
https://access.redhat.com/errata/RHSA-2018:2151
https://access.redhat.com/errata/RHSA-2018:2166
https://www.debian.org/security/2019/dsa-4396
https://github.com/ansible/ansible/issues/42388
https://web.archive.org/web/20201130165946/http://www.securitytracker.com/id/1041396
https://access.redhat.com/errata/RHSA-2018:2150
https://github.com/ansible/ansible
Do you need more information?
Contact Us
CVSS v4
Base Score:
8.5
Attack Vector
LOCAL
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
NONE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
7.8
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
CVSS v2
Base Score:
4.6
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
Weakness Type (CWE)
Untrusted Search Path
CWE-426
EPSS
Base Score:
0.04