CVE-2018-10874
EUVD-2018-002002.07.2018, 13:29
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.Enginsight
Affected Products (NVD)
| Vendor | Product | Version |
|---|---|---|
| redhat | ansible_engine | 2.0 |
| redhat | ansible_engine | 2.4 |
| redhat | ansible_engine | 2.5 |
| redhat | ansible_engine | 2.6 |
| redhat | virtualization | 4.0 |
| redhat | virtualization_host | 4.0 |
𝑥
= Vulnerable software versions
Debian Releases
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ansible |
|
Common Weakness Enumeration
- CWE-426 - Untrusted Search PathThe application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.
- CWE-20 - Improper Input ValidationThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
References