Bug 1596533 (CVE-2018-10875) - CVE-2018-10875 ansible: ansible.cfg is being read from current working directory allowing possible code execution
Summary: CVE-2018-10875 ansible: ansible.cfg is being read from current working direct...
Status: NEW
Alias: CVE-2018-10875
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180629,repor...
Keywords: Security
Depends On: 1611793 1611794 1598803 1598804 1598805 1598806 1598813 1598814 1599297 1602764 1602765 1602766 1602767 1607722 1611795 1636193 1636195
Blocks: 1596534
TreeView+ depends on / blocked
 
Reported: 2018-06-29 08:03 UTC by Adam Mariš
Modified: 2019-02-18 01:44 UTC (History)
82 users (show)

Fixed In Version: ansible 2.4.6, ansible 2.5.6, ansible 2.6.1
Doc Type: If docs needed, set a value
Doc Text:
It was found that ansible.cfg is being read from the current working directory, which can be made to point to plugin or module paths that are under control of the attacker. This could allow an attacker to execute arbitrary code.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2150 None None None 2018-07-10 09:49 UTC
Red Hat Product Errata RHSA-2018:2151 None None None 2018-07-10 11:33 UTC
Red Hat Product Errata RHSA-2018:2152 None None None 2018-07-10 12:56 UTC
Red Hat Product Errata RHSA-2018:2166 None None None 2018-07-10 17:20 UTC
Red Hat Product Errata RHSA-2018:2321 None None None 2018-07-31 17:49 UTC
Red Hat Product Errata RHSA-2018:2585 None None None 2018-08-29 16:05 UTC
Red Hat Product Errata RHSA-2019:0054 None None None 2019-01-16 17:10 UTC

Description Adam Mariš 2018-06-29 08:03:46 UTC
It was found that ansible.cfg is being read from current working directory, which cam be made to point to plugin or module paths that are under control of the attacker, allowing to execute arbitrary code.

Comment 1 Borja Tarraso 2018-06-29 14:13:20 UTC
Acknowledgments:

Name: Brian Coca (Red Hat)

Comment 2 Pavel Cahyna 2018-06-29 14:16:52 UTC
s/cam/can/

Comment 3 Borja Tarraso 2018-07-06 13:51:29 UTC
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1598806]
Affects: fedora-all [bug 1598805]

Comment 7 errata-xmlrpc 2018-07-10 09:48:50 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2018:2150 https://access.redhat.com/errata/RHSA-2018:2150

Comment 8 errata-xmlrpc 2018-07-10 11:32:41 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2018:2151 https://access.redhat.com/errata/RHSA-2018:2151

Comment 9 errata-xmlrpc 2018-07-10 12:56:12 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.4 for RHEL 7

Via RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2152

Comment 10 errata-xmlrpc 2018-07-10 17:20:01 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2166

Comment 13 errata-xmlrpc 2018-07-31 17:49:33 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2018:2321 https://access.redhat.com/errata/RHSA-2018:2321

Comment 14 Borja Tarraso 2018-08-02 08:01:55 UTC
Upstream patch: https://github.com/ansible/ansible/pull/42070

Comment 19 errata-xmlrpc 2018-08-29 16:05:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2018:2585 https://access.redhat.com/errata/RHSA-2018:2585

Comment 24 errata-xmlrpc 2019-01-16 17:10:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 10.0 (Newton)

Via RHSA-2019:0054 https://access.redhat.com/errata/RHSA-2019:0054


Note You need to log in before you can comment on or make changes to this bug.