VDB
PYSEC-2019-5
PYSEC-2019-5
PUBLISHED
CVSS 8.699999809265137 HIGH
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Risk Scores
CVSS v4.0
8.699999809265137
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | ansible | 2.5.0, 2.6.0, 2.5.0 |
Timeline
- Mar 27, 2019 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828 report
- http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html url
- http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html url
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html url
- https://github.com/advisories/GHSA-74vq-h4q8-x6jv advisory
- https://github.com/ansible/ansible/pull/52133 fix
- https://usn.ubuntu.com/4072-1/ advisory
- https://access.redhat.com/errata/RHSA-2019:3744 advisory
- https://access.redhat.com/errata/RHSA-2019:3789 advisory