CVE-2019-10156
ansible: unsafe template evaluation of returned module data can lead to information disclosure
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
Se detectó un fallo en la manera en que fueron implementadas las plantillas de Ansible en versiones anteriores a 2.6.18, 2.7.12 y 2.8.2, causando la posibilidad de revelación de información mediante la sustitución inesperada de variables. Tomando ventaja de la sustitución involuntaria de variables, se puede divulgar el contenido de cualquier variable.
A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-27 CVE Reserved
- 2019-07-09 CVE Published
- 2024-07-23 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (9)
| URL | Tag | Source |
|---|---|---|
| https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html | Mailing List |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/ansible/ansible/pull/57188 | 2022-04-19 |
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2019:3744 | 2022-04-19 | |
| https://access.redhat.com/errata/RHSA-2019:3789 | 2022-04-19 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156 | 2022-04-19 | |
| https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html | 2022-04-19 | |
| https://www.debian.org/security/2021/dsa-4950 | 2022-04-19 | |
| https://access.redhat.com/security/cve/CVE-2019-10156 | 2019-11-07 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1717311 | 2019-11-07 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | < 2.6.18 Search vendor "Redhat" for product "Ansible" and version " < 2.6.18" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | >= 2.7.0 < 2.7.12 Search vendor "Redhat" for product "Ansible" and version " >= 2.7.0 < 2.7.12" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | >= 2.8.0 < 2.8.2 Search vendor "Redhat" for product "Ansible" and version " >= 2.8.0 < 2.8.2" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 13 Search vendor "Redhat" for product "Openstack" and version "13" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openstack Search vendor "Redhat" for product "Openstack" | 14 Search vendor "Redhat" for product "Openstack" and version "14" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 8.0 Search vendor "Debian" for product "Debian Linux" and version "8.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0" | - |
Affected
| ||||||