Ansible fetch module has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Acknowledgments: Name: Kevin Backhouse (Semmle Security Research Team)
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1677598] Affects: fedora-all [bug 1677597]
This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Via RHSA-2019:0430 https://access.redhat.com/errata/RHSA-2019:0430
This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:0431 https://access.redhat.com/errata/RHSA-2019:0431
This issue has been addressed in the following products: Red Hat Ansible Engine 2.5 for RHEL 7 Via RHSA-2019:0432 https://access.redhat.com/errata/RHSA-2019:0432
This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2019:0433 https://access.redhat.com/errata/RHSA-2019:0433
External References: https://github.com/ansible/ansible/pull/52133
Statement: Red Hat CloudForms 4.5 and 4.6 are now in Maintenance Support Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat CloudForms Life Cycle: https://access.redhat.com/support/policy/updates/cloudforms/
This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:3744 https://access.redhat.com/errata/RHSA-2019:3744
This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:3789 https://access.redhat.com/errata/RHSA-2019:3789