{"id":"PYSEC-2019-75","details":"Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.","modified":"2023-03-14T07:01:09.383328Z","published":"2019-03-27T13:29:00Z","withdrawn":"2023-03-14T07:01:09.383328Z","references":[{"type":"WEB","url":"https://github.com/ansible/ansible/pull/52133"},{"type":"WEB","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"},{"type":"WEB","url":"https://usn.ubuntu.com/4072-1/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:3744"},{"type":"WEB","url":"https://access.redhat.com/errata/RHSA-2019:3789"}],"affected":[{"package":{"name":"ansible","ecosystem":"PyPI","purl":"pkg:pypi/ansible"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.5.0"},{"fixed":"2.5.15"},{"introduced":"2.6.0"},{"fixed":"2.6.14"},{"introduced":"2.7.0"},{"fixed":"2.7.8"}]}],"versions":["2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.5.8","2.5.9","2.5.10","2.5.11","2.5.12","2.5.13","2.5.14","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.6.9","2.6.10","2.6.11","2.6.12","2.6.13","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2019-75.yaml"}}],"schema_version":"1.7.3"}