CVE-2019-10156
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2019-10156.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-10156
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | forky | fixed | 2.8.3+dfsg-1 |
| debian | sid | fixed | 2.8.3+dfsg-1 |
| debian | trixie | fixed | 2.8.3+dfsg-1 |
| debian | bookworm | fixed | 2.8.3+dfsg-1 |
| debian | bullseye | fixed | 2.8.3+dfsg-1 |
| sles | affected | |
References
- https://security-tracker.debian.org/tracker/CVE-2019-10156
- https://nvd.nist.gov/vuln/detail/CVE-2019-10156
- https://github.com/ansible/ansible/pull/57188
- https://github.com/ansible/ansible/commit/04e94274fb92e116e9082cc9b86b1fd05c836922
- https://github.com/ansible/ansible/commit/3ff6505e8ff0e4655bab008886983476ef903375
- https://github.com/ansible/ansible/commit/a11c3edfa41e7e4a4db323cdabfc2eae1b61da2a
- https://access.redhat.com/errata/RHSA-2019:3744
- https://access.redhat.com/errata/RHSA-2019:3789
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
- https://github.com/advisories/GHSA-grgm-pph5-j5h7
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-2.yaml
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://www.debian.org/security/2021/dsa-4950
- https://www.suse.com/security/cve/CVE-2019-10156.html
Verify integrity in audit chain (admin only). AS-IS.