SB2019110681 - Red Hat OpenStack Platform 14 update for ansible 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019110681

SB2019110681 - Red Hat OpenStack Platform 14 update for ansible

Published: November 6, 2019

Security Bulletin ID SB2019110681
Severity
High
Patch available
YES
Number of vulnerabilities 3
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

High 33% Medium 67%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 3 secuirty vulnerabilities.


1) Information disclosure (CVE-ID: CVE-2019-10156)

The vulnerability allows a remote authenticated user to read and manipulate data.

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.


2) Input validation error (CVE-ID: CVE-2019-10206)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.


3) Path traversal (CVE-ID: CVE-2019-3828)

The vulnerability allows a remote attacker to perform directory traversal attacks.

The vulnerability exists due to input validation error when processing directory traversal sequences. A remote attacker can send a specially crafted HTTP request and copy and overwrite files outside of the specified destination in the local ansible controller host.


Remediation

Install update from vendor's website.

References