{"id":"PYSEC-2019-5","details":"Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.","aliases":["CVE-2019-3828","GHSA-74vq-h4q8-x6jv"],"modified":"2023-11-01T05:30:37.500753Z","published":"2019-03-27T13:29:00Z","references":[{"type":"WEB","url":"https://github.com/ansible/ansible/pull/52133"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html"},{"type":"WEB","url":"https://usn.ubuntu.com/4072-1/"},{"type":"WEB","url":"http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3744"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2019:3789"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-74vq-h4q8-x6jv"}],"affected":[{"package":{"name":"ansible","ecosystem":"PyPI","purl":"pkg:pypi/ansible"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.5.0"},{"fixed":"2.5.15"},{"introduced":"2.6.0"},{"fixed":"2.6.14"},{"introduced":"2.7.0"},{"fixed":"2.7.8"}]}],"versions":["2.5.0","2.5.1","2.5.2","2.5.3","2.5.4","2.5.5","2.5.6","2.5.7","2.5.8","2.5.9","2.5.10","2.5.11","2.5.12","2.5.13","2.5.14","2.6.0","2.6.1","2.6.2","2.6.3","2.6.4","2.6.5","2.6.6","2.6.7","2.6.8","2.6.9","2.6.10","2.6.11","2.6.12","2.6.13","2.7.0","2.7.1","2.7.2","2.7.3","2.7.4","2.7.5","2.7.6","2.7.7"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2019-5.yaml"}}],"schema_version":"1.7.3"}