{"id":"MGASA-2018-0439","summary":"Updated ansible package fixes security vulnerabilities","details":"It was found that inventory variables are loaded from current working\ndirectory when running ad-hoc command which are under attacker's\ncontrol, allowing to run arbitrary code as a result (CVE-2018-10874).\n\nIt was found that ansible.cfg is being read from the current working\ndirectory, which can be made to point to plugin or module paths that are\nunder control of the attacker. This could allow an attacker to execute\narbitrary code (CVE-2018-10875).\n","modified":"2026-04-16T06:23:43.304644456Z","published":"2018-11-11T21:09:54Z","upstream":["CVE-2018-10874","CVE-2018-10875"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2018-0439.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=23321"},{"type":"WEB","url":"https://github.com/ansible/ansible/blob/stable-2.4/CHANGELOG.md"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/DXWC5D7CU2JQAN3QB3BCCLZMZLTI2N6W/"}],"affected":[{"package":{"name":"ansible","ecosystem":"Mageia:6","purl":"pkg:rpm/mageia/ansible?arch=source&distro=mageia-6"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.4.6.0-1.1.mga6"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2018-0439.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}