CVE-2019-10156

MEDIUM5.4EPSS 0.59%

ansible - security update

Published: 7/31/2019Modified: 11/19/2025

Also known as:ALPINE-CVE-2019-10156DEBIAN-CVE-2019-10156

Description

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

Affected packages (6)

Alpine/ansiblefrom 0, < 2.8.2-r0
Alpine/ansible-basefrom 0, < 2.8.2-r0
Debian/ansiblefrom 0, < 2.8.3+dfsg-1
Debian/ansiblefrom 0, < 2.7.7+dfsg-1+deb10u1
PyPI/ansiblefrom 0, < 2.6.18
PyPI/ansiblefrom 0, < 2.6.18, >= 2.7.0, < 2.7.12, >= 2.8.0, < 2.8.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

References (16)

ADVISORYhttps://github.com/advisories/GHSA-grgm-pph5-j5h7
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10156
ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-10156
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-10156
PATCHhttps://github.com/ansible/ansible
WEBhttps://access.redhat.com/errata/RHSA-2019:3744
WEBhttps://access.redhat.com/errata/RHSA-2019:3789
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
WEBhttps://github.com/ansible/ansible/commit/04e94274fb92e116e9082cc9b86b1fd05c836922
WEBhttps://github.com/ansible/ansible/commit/3ff6505e8ff0e4655bab008886983476ef903375
WEBhttps://github.com/ansible/ansible/commit/a11c3edfa41e7e4a4db323cdabfc2eae1b61da2a
WEBhttps://github.com/ansible/ansible/pull/57188
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-2.yaml
WEBhttps://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
WEBhttps://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
WEBhttps://www.debian.org/security/2021/dsa-4950