GHSA-74vq-h4q8-x6jv

Suggest an improvement
Source
https://github.com/advisories/GHSA-74vq-h4q8-x6jv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2019/04/GHSA-74vq-h4q8-x6jv/GHSA-74vq-h4q8-x6jv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-74vq-h4q8-x6jv
Aliases
Published
2019-04-15T16:19:19Z
Modified
2024-11-27T05:24:37.384966Z
Severity
  • 4.2 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
  • 2.4 (Low) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator
Summary
Ansible Path Traversal vulnerability
Details

Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.

Database specific
{
    "nvd_published_at": "2019-03-27T13:29:01Z",
    "cwe_ids": [
        "CWE-22"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:21:22Z"
}
References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.5.15

Affected versions

1.*

1.0
1.1
1.2
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.5
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.7
1.7.1
1.7.2
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.9.0
1.9.0.1
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6

2.*

2.0.0
2.0.0.0
2.0.0.1
2.0.0.2
2.0.1.0
2.0.2.0
2.1.0.0
2.1.1.0
2.1.2.0
2.1.3.0
2.1.4.0
2.1.5.0
2.1.6.0
2.2.0.0
2.2.1.0
2.2.2.0
2.2.3.0
2.3.0.0
2.3.1.0
2.3.2.0
2.3.3.0
2.4.0.0
2.4.1.0
2.4.2.0
2.4.3.0
2.4.4.0
2.4.5.0
2.4.6.0
2.5.0a1
2.5.0b1
2.5.0b2
2.5.0rc1
2.5.0rc2
2.5.0rc3
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.5.12
2.5.13
2.5.14

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.0a1
Fixed
2.6.14

Affected versions

2.*

2.6.0a1
2.6.0a2
2.6.0rc1
2.6.0rc2
2.6.0rc3
2.6.0rc4
2.6.0rc5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0a1
Fixed
2.7.8

Affected versions

2.*

2.7.0a1
2.7.0b1
2.7.0rc1
2.7.0rc2
2.7.0rc3
2.7.0rc4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7