CVE-2019-3828: Ansible Path Traversal vulnerability
(updated )
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
References
- access.redhat.com/errata/RHSA-2019:3744
- access.redhat.com/errata/RHSA-2019:3789
- bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828
- github.com/advisories/GHSA-74vq-h4q8-x6jv
- github.com/ansible/ansible
- github.com/ansible/ansible/commit/396a2f74717477d80600450e2b7e45349d7b5110
- github.com/ansible/ansible/commit/4be3215d2f9f84ca283895879f0c6ce1ed7dd333
- github.com/ansible/ansible/commit/f3edc091523fbe301926b7a0db25fbbd96940d93
- github.com/ansible/ansible/pull/52133
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-5.yaml
- nvd.nist.gov/vuln/detail/CVE-2019-3828
- usn.ubuntu.com/4072-1
Code Behaviors & Features
Detect and mitigate CVE-2019-3828 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →