CVE-2019-3828
MEDIUMAnsible < 2.5.15 - Path Traversal via Fetch Module Absolute Path
Title source: llmDescription
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
References (9)
Core 9
Core References
Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-04/msg00021.html
Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00077.html
Third Party Advisory vendor-advisory
https://usn.ubuntu.com/4072-1/
Third Party Advisory vendor-advisory
http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00020.html
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3744
Third Party Advisory vendor-advisory
https://access.redhat.com/errata/RHSA-2019:3789
Issue Tracking, Patch, Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-3828
Patch, Third Party Advisory
https://github.com/ansible/ansible/pull/52133
Exploit, Third Party Advisory
http://packetstormsecurity.com/files/172837/Ansible-Fetch-Path-Traversal.html
Scores
CVSS v3
4.2
EPSS
0.0003
EPSS Percentile
8.9%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-22
Status
published
Products (2)
pypi/ansible
0 - 2.5.15PyPI
redhat/ansible
2.5.0 - 2.5.15
Published
Mar 27, 2019
Tracked Since
Feb 18, 2026