CVE-2018-10875

Description

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Predictions

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

References

• https://security-tracker.debian.org/tracker/CVE-2018-10875
• https://nvd.nist.gov/vuln/detail/CVE-2018-10875
• https://github.com/ansible/ansible/issues/42388
• https://github.com/ansible/ansible/pull/43583
• https://github.com/ansible/ansible/pull/42070
• https://github.com/ansible/ansible/commit/ff980afefdbe4ceb828bdb1bb2eef03cf616bf63
• https://github.com/ansible/ansible/commit/4cecbe81adbc655d7ab734165d3ac539f8ba5981
• https://github.com/ansible/ansible/commit/f32c42c37aaf7b9db93ea3151b2f42a0c4bd8172
• https://www.debian.org/security/2019/dsa-4396
• https://web.archive.org/web/20201130165946/http://www.securitytracker.com/id/1041396
• https://usn.ubuntu.com/4072-1
• https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
• https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-43.yaml
• https://github.com/ansible/ansible
• https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875
• https://access.redhat.com/errata/RHSA-2019:0054
• https://access.redhat.com/errata/RHSA-2018:2585
• https://access.redhat.com/errata/RHSA-2018:2321
• https://access.redhat.com/errata/RHSA-2018:2166
• https://access.redhat.com/errata/RHSA-2018:2152
• https://access.redhat.com/errata/RHSA-2018:2151
• https://access.redhat.com/errata/RHSA-2018:2150
• https://access.redhat.com/errata/RHBA-2018:3788
• http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
• https://www.suse.com/security/cve/CVE-2018-10875.html