CVE Vulnerability

CVE-2019-3828

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

3.3 /10

CVSS v2.0 :

V3 Legend

Vector :

Exploitability : 3.4 / Impact : 4.9

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact NONE

Scope

4.2 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.1 / Impact : 2.7

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://github.com/ansible/ansible/pull/52133 Patch Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828 Issue Tracking Patch
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html Third Party Advisory
https://usn.ubuntu.com/4072-1/ Third Party Advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3744 Third Party Advisory
https://access.redhat.com/errata/RHSA-2019:3789 Third Party Advisory
Configurations

Configuration 1

cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
Information

Published : 2019-03-27 01:29

Updated : 2020-05-21 02:55

NVD link : CVE-2019-3828

Mitre link : CVE-2019-3828

Products Affected

Ansible

Redhat

CWE
CWE-22