{"id":"USN-4072-1","summary":"ansible vulnerabilities","details":"It was discovered that Ansible failed to properly handle sensitive information.\nA local attacker could use those vulnerabilities to extract them.\n(CVE-2017-7481)\n(CVE-2018-10855)\n(CVE-2018-16837)\n(CVE-2018-16876)\n(CVE-2019-10156)\n\nIt was discovered that Ansible could load configuration files from the current\nworking directory containing crafted commands. An attacker could run arbitrary\ncode as result.\n(CVE-2018-10874)\n(CVE-2018-10875)\n\nIt was discovered that Ansible fetch module had a path traversal vulnerability.\nA local attacker could copy and overwrite files outside of the specified\ndestination.\n(CVE-2019-3828)\n","modified":"2026-02-10T04:41:35Z","published":"2019-07-24T23:07:07Z","related":["UBUNTU-CVE-2017-7481","UBUNTU-CVE-2018-10855","UBUNTU-CVE-2018-10874","UBUNTU-CVE-2018-10875","UBUNTU-CVE-2018-16837","UBUNTU-CVE-2018-16876","UBUNTU-CVE-2019-10156","UBUNTU-CVE-2019-3828"],"upstream":["CVE-2017-7481","CVE-2018-10855","CVE-2018-10874","CVE-2018-10875","CVE-2018-16837","CVE-2018-16876","CVE-2019-10156","CVE-2019-3828","UBUNTU-CVE-2017-7481","UBUNTU-CVE-2018-10855","UBUNTU-CVE-2018-10874","UBUNTU-CVE-2018-10875","UBUNTU-CVE-2018-16837","UBUNTU-CVE-2018-16876","UBUNTU-CVE-2019-10156","UBUNTU-CVE-2019-3828"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-4072-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2017-7481"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-10855"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-10874"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-10875"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-16837"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2018-16876"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-3828"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2019-10156"}],"affected":[{"package":{"name":"ansible","ecosystem":"Ubuntu:16.04:LTS","purl":"pkg:deb/ubuntu/ansible@2.0.0.2-2ubuntu1.3?arch=source&distro=xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.0.2-2ubuntu1.3"}]}],"versions":["1.9.2+dfsg-2","1.9.4-1","2.0.0.2-2","2.0.0.2-2ubuntu1","2.0.0.2-2ubuntu1.1","2.0.0.2-2ubuntu1.2"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"ansible","binary_version":"2.0.0.2-2ubuntu1.3"},{"binary_name":"ansible-fireball","binary_version":"2.0.0.2-2ubuntu1.3"},{"binary_name":"ansible-node-fireball","binary_version":"2.0.0.2-2ubuntu1.3"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2017-7481"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-10875"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-16837"}],"ecosystem":"Ubuntu:16.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4072-1.json"}},{"package":{"name":"ansible","ecosystem":"Ubuntu:18.04:LTS","purl":"pkg:deb/ubuntu/ansible@2.5.1+dfsg-1ubuntu0.1?arch=source&distro=bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.5.1+dfsg-1ubuntu0.1"}]}],"versions":["2.3.1.0+dfsg-2","2.5.0+dfsg-1","2.5.1+dfsg-1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_name":"ansible","binary_version":"2.5.1+dfsg-1ubuntu0.1"}]},"database_specific":{"cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"low"}],"id":"CVE-2018-10855"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-10874"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-10875"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-16837"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2018-16876"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-3828"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"},{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2019-10156"}],"ecosystem":"Ubuntu:18.04:LTS"},"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4072-1.json"}}],"schema_version":"1.7.3"}