Bug 1676689 (CVE-2019-3828) - CVE-2019-3828 Ansible: path traversal in the fetch module
Summary: CVE-2019-3828 Ansible: path traversal in the fetch module
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-3828
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1679906 1693271 1676690 1677201 1677202 1677203 1677519 1677520 1677521 1677596 1677597 1677598 1679905
Blocks: 1675477
TreeView+ depends on / blocked
 
Reported: 2019-02-12 21:26 UTC by Borja Tarraso
Modified: 2020-05-19 16:59 UTC (History)
55 users (show)

Fixed In Version: ansible-engine 2.5.15, ansible-engine 2.6.14, ansible-engine 2.7.8
Doc Type: If docs needed, set a value
Doc Text:
A path traversal flaw was found in ansible. The fetch module allows copying and overwriting files outside of the specified destination in the local ansible controller host by not restricting an absolute path. The main threat from this vulnerability is to data confidentiality and integrity.
Clone Of:
Environment:
Last Closed: 2019-06-10 10:47:50 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0430 None None None 2019-02-28 08:18:58 UTC
Red Hat Product Errata RHSA-2019:0431 None None None 2019-02-28 08:19:13 UTC
Red Hat Product Errata RHSA-2019:0432 None None None 2019-02-28 08:19:23 UTC
Red Hat Product Errata RHSA-2019:0433 None None None 2019-02-28 08:19:48 UTC
Red Hat Product Errata RHSA-2019:3744 None None None 2019-11-06 15:26:32 UTC
Red Hat Product Errata RHSA-2019:3789 None None None 2019-11-07 13:46:18 UTC

Description Borja Tarraso 2019-02-12 21:26:12 UTC 
Ansible fetch module has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
Comment 1 Borja Tarraso 2019-02-12 21:26:14 UTC 
Acknowledgments:

Name: Kevin Backhouse (Semmle Security Research Team)
Comment 6 Borja Tarraso 2019-02-15 10:35:33 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1677598]
Affects: fedora-all [bug 1677597]
Comment 10 errata-xmlrpc 2019-02-28 08:18:56 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2 for RHEL 7

Via RHSA-2019:0430 https://access.redhat.com/errata/RHSA-2019:0430
Comment 11 errata-xmlrpc 2019-02-28 08:19:11 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.7 for RHEL 7

Via RHSA-2019:0431 https://access.redhat.com/errata/RHSA-2019:0431
Comment 12 errata-xmlrpc 2019-02-28 08:19:21 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.5 for RHEL 7

Via RHSA-2019:0432 https://access.redhat.com/errata/RHSA-2019:0432
Comment 13 errata-xmlrpc 2019-02-28 08:19:46 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Engine 2.6 for RHEL 7

Via RHSA-2019:0433 https://access.redhat.com/errata/RHSA-2019:0433
Comment 14 Borja Tarraso 2019-02-28 12:28:16 UTC 
External References:

https://github.com/ansible/ansible/pull/52133
Comment 18 Richard Maciel Costa 2019-05-31 19:28:51 UTC 
Statement:

Red Hat CloudForms 4.5 and 4.6 are now in Maintenance Support Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat CloudForms Life Cycle: https://access.redhat.com/support/policy/updates/cloudforms/
Comment 19 errata-xmlrpc 2019-11-06 15:26:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 14.0 (Rocky)

Via RHSA-2019:3744 https://access.redhat.com/errata/RHSA-2019:3744
Comment 20 errata-xmlrpc 2019-11-07 13:46:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenStack Platform 13.0 (Queens)

Via RHSA-2019:3789 https://access.redhat.com/errata/RHSA-2019:3789
Note You need to log in before you can comment on or make changes to this bug.