Описание
Ansible Path Traversal vulnerability
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-3828
- https://github.com/ansible/ansible/pull/52133
- https://github.com/ansible/ansible/commit/396a2f74717477d80600450e2b7e45349d7b5110
- https://github.com/ansible/ansible/commit/4be3215d2f9f84ca283895879f0c6ce1ed7dd333
- https://github.com/ansible/ansible/commit/f3edc091523fbe301926b7a0db25fbbd96940d93
- https://access.redhat.com/errata/RHSA-2019:3744
- https://access.redhat.com/errata/RHSA-2019:3789
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828
- https://github.com/advisories/GHSA-74vq-h4q8-x6jv
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-5.yaml
- https://usn.ubuntu.com/4072-1
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
- http://packetstormsecurity.com/files/172837/Ansible-Fetch-Path-Traversal.html
Пакеты
ansible
< 2.5.15
2.5.15
ansible
>= 2.6.0a1, < 2.6.14
2.6.14
ansible
>= 2.7.0a1, < 2.7.8
2.7.8
Связанные уязвимости
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path ...
Уязвимость модуля fetch системы управления конфигурациями Ansible, связанная c неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю получить несанкционированный доступ к информации и нарушить ее целостность