Fluid Attacks Database

Description

Ansible Improper Input Validation vulnerability In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	ansible	>=0 <2.6.1+dfsg-1	2.6.1+dfsg-1
pypi	ansible	>=0 <2.4.6.0 \|\| >=2.5 <2.5.6 \|\| >=2.6 <2.6.1	2.4.6.0, 2.5.6, 2.6.1
debian 12	ansible	>=0 <2.6.1+dfsg-1	2.6.1+dfsg-1
debian 14	ansible	>=0 <2.6.1+dfsg-1	2.6.1+dfsg-1
debian 11	ansible	>=0 <2.6.1+dfsg-1	2.6.1+dfsg-1

Aliases

1. CVE-2018-108742. NVD-2018-108743. OSV-DEBIAN-2018-108744. OSV-2018-108745. GCVE-2018-108746. SECURITY-TRACKER-CVE-2018-108747. ACCESS-CVE-2018-108748. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com13. access.redhat.com14. access.redhat.com15. access.redhat.com

References

1. https://github.com/ansible/ansible/pull/420672. https://github.com/ansible/ansible/commit/44874addc7ea136f83c67d5869047ece02645fdb3. https://github.com/ansible/ansible/commit/1f80949f964a946773f9d3ac1899535bd2cc2b8e4. https://github.com/ansible/ansible/commit/10d6fe6c98cfee9a7be0fea6102ba5dec951aec75. https://web.archive.org/web/20201130165946/http://www.securitytracker.com/id/10413966. https://usn.ubuntu.com/4072-17. https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-81.yaml8. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-108749. https://bugzilla.redhat.com/show_bug.cgi?id=1596528

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.