Mageia 6 MGASA-2018-0439 Moderate: Ansible Arbitrary Code Execution
mageia
November 11, 2018
It was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a ...
Summary
It was found that inventory variables are loaded from current working
directory when running ad-hoc command which are under attacker's
control, allowing to run arbitrary code as a result (CVE-2018-10874).
It was found that ansible.cfg is being read from the current working
directory, which can be made to point to plugin or module paths that are
under control of the attacker. This could allow an attacker to execute
arbitrary code (CVE-2018-10875).
References
- https://bugs.mageia.org/show_bug.cgi?id=23321
- https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXWC5D7CU2JQAN3QB3BCCLZMZLTI2N6W/
- https://www.cve.org/CVERecord?id=CVE-2018-10874
- https://www.cve.org/CVERecord?id=CVE-2018-10875
Resolution
SRPMS
- 6/core/ansible-2.4.6.0-1.1.mga6
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Publication date: 11 Nov 2018
URL: https://advisories.mageia.org/MGASA-2018-0439.html
Type: security
CVE: CVE-2018-10874,
CVE-2018-10875
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!