7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
ansible is vulnerable to arbitrary code execution attacks. The application does not restrict the ansible.cfg
file from being installed into a world readable directory, allowing a malicious user to use it to direct to a malicious plugin or module to execute arbitrary code.
lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
www.securitytracker.com/id/1041396
access.redhat.com/errata/RHBA-2018:3788
access.redhat.com/errata/RHSA-2018:2150
access.redhat.com/errata/RHSA-2018:2151
access.redhat.com/errata/RHSA-2018:2152
access.redhat.com/errata/RHSA-2018:2166
access.redhat.com/errata/RHSA-2018:2321
access.redhat.com/errata/RHSA-2018:2585
access.redhat.com/errata/RHSA-2019:0054
bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875
github.com/ansible/ansible/commit/b6f2aad600662a2eee2c3079b3713827163f3fd4#diff-4620481bb35f1868b3b433c63ee9d013
github.com/ansible/ansible/pull/42070
lists.debian.org/debian-lts-announce/2019/09/msg00016.html
usn.ubuntu.com/4072-1/
www.debian.org/security/2019/dsa-4396
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P