Bug 1596533 (CVE-2018-10875) - CVE-2018-10875 ansible: ansible.cfg is being read from current working directory allowing possible code execution
Summary: CVE-2018-10875 ansible: ansible.cfg is being read from current working direct...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-10875
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1598803 1598804 1598805 1598806 1598813 1598814 1599297 1602764 1602765 1602766 1602767 1607722 1611793 1611794 1611795 1636193 1636195
Blocks: 1596534
TreeView+ depends on / blocked
 
Reported: 2018-06-29 08:03 UTC by Adam Mariš
Modified: 2022-03-13 15:10 UTC (History)
79 users (show)

Fixed In Version: ansible 2.4.6, ansible 2.5.6, ansible 2.6.1
Doc Type: If docs needed, set a value
Doc Text:
It was found that ansible.cfg is being read from the current working directory, which can be made to point to plugin or module paths that are under control of the attacker. This could allow an attacker to execute arbitrary code.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:30:59 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2150 0 None None None 2018-07-10 09:49:14 UTC
Red Hat Product Errata RHSA-2018:2151 0 None None None 2018-07-10 11:33:13 UTC
Red Hat Product Errata RHSA-2018:2152 0 None None None 2018-07-10 12:56:34 UTC
Red Hat Product Errata RHSA-2018:2166 0 None None None 2018-07-10 17:20:23 UTC
Red Hat Product Errata RHSA-2018:2321 0 None None None 2018-07-31 17:49:57 UTC
Red Hat Product Errata RHSA-2018:2585 0 None None None 2018-08-29 16:05:25 UTC
Red Hat Product Errata RHSA-2019:0054 0 None None None 2019-01-16 17:10:07 UTC

Description Adam Mariš 2018-06-29 08:03:46 UTC
It was found that ansible.cfg is being read from current working directory, which cam be made to point to plugin or module paths that are under control of the attacker, allowing to execute arbitrary code.

Comment 1 Borja Tarraso 2018-06-29 14:13:20 UTC
Acknowledgments:

Name: Brian Coca (Red Hat)

Comment 2 Pavel Cahyna 2018-06-29 14:16:52 UTC
s/cam/can/

Comment 3 Borja Tarraso 2018-07-06 13:51:29 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1598806]
Affects: fedora-all [bug 1598805]

Comment 7 errata-xmlrpc 2018-07-10 09:48:50 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:2150 https://access.redhat.com/errata/RHSA-2018:2150

Comment 8 errata-xmlrpc 2018-07-10 11:32:41 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:2151 https://access.redhat.com/errata/RHSA-2018:2151

Comment 9 errata-xmlrpc 2018-07-10 12:56:12 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2152

Comment 10 errata-xmlrpc 2018-07-10 17:20:01 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2166

Comment 13 errata-xmlrpc 2018-07-31 17:49:33 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2321 https://access.redhat.com/errata/RHSA-2018:2321

Comment 14 Borja Tarraso 2018-08-02 08:01:55 UTC
Upstream patch: https://github.com/ansible/ansible/pull/42070

Comment 19 errata-xmlrpc 2018-08-29 16:05:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585

Comment 24 errata-xmlrpc 2019-01-16 17:10:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054

Comment 25 Hardik Vyas 2020-12-04 15:33:01 UTC
Statement:

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of ansible, but they no longer maintain their own version of ansible. Both the products will consume fixes directly from ansible repository.


Note You need to log in before you can comment on or make changes to this bug.