{"id":"PYSEC-2018-43","details":"A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.","aliases":["CVE-2018-10875","GHSA-fc4h-467w-46rh"],"modified":"2024-04-22T22:27:01.915323Z","published":"2018-07-13T22:29:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2166"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2152"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2151"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2150"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2321"},{"type":"WEB","url":"http://www.securitytracker.com/id/1041396"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2018:2585"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHBA-2018:3788"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:0054"},{"type":"ADVISORY","url":"https://www.debian.org/security/2019/dsa-4396"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"},{"type":"WEB","url":"https://usn.ubuntu.com/4072-1/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"}],"affected":[{"package":{"name":"ansible","ecosystem":"PyPI","purl":"pkg:pypi/ansible"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.5"},{"fixed":"2.5.6"},{"introduced":"2.4"},{"fixed":"2.4.6.0"},{"introduced":"2.6"},{"fixed":"2.6.1"}]}],"versions":["2.4.0.0","2.4.1.0","2.4.2.0","2.4.3.0","2.4.4.0","2.4.5.0","2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.6.0"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2018-43.yaml"}}],"schema_version":"1.7.3"}