Bug 1596528 (CVE-2018-10874)
| Summary: | CVE-2018-10874 ansible: Inventory variables are loaded from current working directory when running ad-hoc command that can lead to code execution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, abhgupta, ahardin, aos-bugs, apevec, athmanem, bbuckingham, bcourt, bkearney, bleanhar, bmcclain, ccoleman, chrisw, cpelland, cshereme, dajohnso, dbaker, dbecker, dblechte, dedgar, dfediuck, dmetzger, dominik.mierzejewski, eedri, eparis, gblomqui, gmccullo, gtanzill, jcammara, jfrey, jgoulding, jhardy, jjoyce, jmatthew, jokerman, jprause, jschluet, jupierce, kbasil, kdixon, kdube, kevin, lhh, lpeer, markmc, maxim, mburns, mchappel, mgoldboi, michal.skrivanek, mmccomas, mmccune, mrike, obarenbo, ohadlevy, pcahyna, rbryant, rchan, rhos-maint, rjerrido, roliveri, sbonazzo, sclewis, security-response-team, sherold, simaishi, sisharma, slinaber, smallamp, smunilla, ssaha, sthangav, tcarlin, tdecacqu, tkuratom, trankin, tsanders, tvignaud, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-06-10 10:30:57 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1598807, 1598808, 1598809, 1598810, 1598811, 1598812, 1599296, 1602768, 1602769, 1602770, 1602771, 1607723, 1610582, 1610583, 1610584, 1636192, 1636194 | ||
| Bug Blocks: | 1595939 | ||
|
Description
Adam Mariš
2018-06-29 07:56:12 UTC
Acknowledgments: Name: Michael Scherer (OSAS) Created ansible tracking bugs for this issue: Affects: epel-all [bug 1598810] Affects: fedora-all [bug 1598809] This issue has been addressed in the following products: Red Hat Ansible Engine 2.5 for RHEL 7 Via RHSA-2018:2150 https://access.redhat.com/errata/RHSA-2018:2150 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2018:2151 https://access.redhat.com/errata/RHSA-2018:2151 This issue has been addressed in the following products: Red Hat Ansible Engine 2.4 for RHEL 7 Via RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2152 This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2166 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 7 Via RHSA-2018:2321 https://access.redhat.com/errata/RHSA-2018:2321 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585 This issue has been addressed in the following products: Red Hat OpenStack Platform 10.0 (Newton) Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054 Statement: Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository. |