First published: Wed Jun 05 2019(Updated: )
[ansible_password] in the ~/.ssh/authorized_keys file is repalced by administrator's password on remote node by templating. Upstream pull: <a href="https://github.com/ansible/ansible/pull/57188">https://github.com/ansible/ansible/pull/57188</a>
Credit: secalert@redhat.com secalert@redhat.com
Affected Software | Affected Version | How to fix |
---|---|---|
Redhat Ansible | <2.6.18 | |
Redhat Ansible | >=2.7.0<2.7.12 | |
Redhat Ansible | >=2.8.0<2.8.2 | |
Redhat Openstack | =13 | |
Redhat Openstack | =14 | |
Debian Debian Linux | =8.0 | |
Debian Debian Linux | =9.0 | |
redhat/ansible-engine | <2.6.18 | 2.6.18 |
redhat/ansible-engine | <2.7.12 | 2.7.12 |
redhat/ansible-engine | <2.8.2 | 2.8.2 |
pip/ansible | >=2.8.0a1<2.8.2 | 2.8.2 |
pip/ansible | >=2.7.0a1<2.7.12 | 2.7.12 |
pip/ansible | <2.6.18 | 2.6.18 |
debian/ansible | 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 7.7.0+dfsg-3+deb12u1 11.1.0+dfsg-1 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID for this flaw in Ansible templating is CVE-2019-10156.
The severity of CVE-2019-10156 is medium (severity value of 4).
Versions before 2.6.18, 2.7.12, and 2.8.2 of Ansible are affected by CVE-2019-10156.
An attacker can exploit the vulnerability in CVE-2019-10156 by taking advantage of unintended variable substitution, which can lead to information disclosure.
Yes, the fix for CVE-2019-10156 is available in Ansible versions 2.6.18, 2.7.12, and 2.8.2.