Skip to main content

Ansible CVE-2019-10156

MEDIUM
Information Exposure (CWE-200)
2019-07-30 secalert@redhat.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Jul 30, 2019 - 23:15 nvd
MEDIUM 5.4

DescriptionNVD

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

AnalysisAI

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. This Exposure of Sensitive Information vulnerability could allow attackers to access sensitive data that should not be disclosed.

Technical ContextAI

This vulnerability is classified as Exposure of Sensitive Information (CWE-200), which allows attackers to access sensitive data that should not be disclosed. A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. Affected products include: Redhat Ansible, Redhat Openstack, Debian Debian Linux. Version information: before 2.6.18.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Minimize information in error messages, implement proper access controls, encrypt sensitive data at rest and in transit.

CVE-2019-10217 MEDIUM POC
6.5 Nov 25

A flaw was found in ansible 2.8.0 before 2.8.4. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploit

CVE-2017-7550 CRITICAL
9.8 Nov 21

A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkin

CVE-2021-33924 CRITICAL
9.8 Sep 29

Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its a

CVE-2020-1733 MEDIUM POC
5.0 Mar 11

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a play

CVE-2014-3498 HIGH
8.8 Jun 08

The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. Rated high seve

CVE-2020-1735 MEDIUM POC
4.6 Mar 16

A flaw was found in the Ansible Engine when the fetch module is used. Rated medium severity (CVSS 4.6), this vulnerabili

CVE-2015-6240 HIGH
7.8 Jun 07

The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environme

CVE-2016-3096 HIGH
7.8 Jun 03

The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local use

CVE-2023-5764 HIGH
7.8 Dec 12

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the u

CVE-2022-3697 HIGH
7.5 Oct 28

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2

CVE-2020-1736 LOW POC
3.3 Mar 16

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified

CVE-2020-25636 HIGH
7.1 Oct 05

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file t

Share

CVE-2019-10156 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy