Description
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
References (7)
Core 7
Core References
Issue Tracking, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/pull/57188
Vendor Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3744
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2019:3789
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Third Party Advisory vendor-advisory
x_refsource_debian
https://www.debian.org/security/2021/dsa-4950
Scores
CVSS v3
5.4
EPSS
0.0059
EPSS Percentile
69.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-200
Status
published
Products (6)
debian/debian_linux
8.0
debian/debian_linux
9.0
pypi/ansible
0 - 2.6.18PyPI
redhat/ansible
< 2.6.18
redhat/openstack
13
redhat/openstack
14
Published
Jul 30, 2019
Tracked Since
Feb 18, 2026