CVE-2019-3828

MEDIUM4.2EPSS 0.03%

Ansible Path Traversal vulnerability

Published: 4/15/2019Modified: 4/28/2026

Description

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

Affected packages (5)

Alpine/ansiblefrom 0, < 2.8.11-r0
Alpine/ansible-basefrom 0, < 2.9.7-r0
Debian/ansiblefrom 0, < 2.7.7+dfsg-1
PyPI/ansiblefrom 0, < 2.5.15
PyPI/ansible>= 2.5.0, < 2.5.15, >= 2.6.0, < 2.6.14, >= 2.7.0, < 2.7.8

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N
osv	CVSS 3.1	MEDIUM4.2	CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (19)

ADVISORYhttps://github.com/advisories/GHSA-74vq-h4q8-x6jv
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-3828
ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2019-3828
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2019-3828
PATCHhttps://github.com/ansible/ansible
WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
WEBhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
WEBhttp://packetstormsecurity.com/files/172837/Ansible-Fetch-Path-Traversal.html
WEBhttps://access.redhat.com/errata/RHSA-2019:3744
WEBhttps://access.redhat.com/errata/RHSA-2019:3789
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828
WEBhttps://github.com/ansible/ansible/commit/396a2f74717477d80600450e2b7e45349d7b5110
WEBhttps://github.com/ansible/ansible/commit/4be3215d2f9f84ca283895879f0c6ce1ed7dd333
WEBhttps://github.com/ansible/ansible/commit/f3edc091523fbe301926b7a0db25fbbd96940d93
WEBhttps://github.com/ansible/ansible/pull/52133
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-5.yaml
WEBhttps://usn.ubuntu.com/4072-1
WEBhttps://usn.ubuntu.com/4072-1/