GHSA-gfr2-qpxh-qj9m

Source

https://github.com/advisories/GHSA-gfr2-qpxh-qj9m

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-gfr2-qpxh-qj9m/GHSA-gfr2-qpxh-qj9m.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-gfr2-qpxh-qj9m

Aliases

Published

2021-04-07T20:35:24Z

Modified

2024-09-09T21:21:50.308910Z

Severity

4.6 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
4.6 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Path Traversal in Ansible

Details

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

References

Affected packages

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.7.0a1

Fixed

2.7.18

Affected versions

2.*

2.7.0a1

2.7.0b1

2.7.0rc1

2.7.0rc2

2.7.0rc3

2.7.0rc4

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.8.0a1

Fixed

2.8.12

Affected versions

2.*

2.8.0a1

2.8.0b1

2.8.0rc1

2.8.0rc2

2.8.0rc3

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.9.0a1

Fixed

2.9.8

Affected versions

2.*

2.9.0b1

2.9.0rc1

2.9.0rc2

2.9.0rc3

2.9.0rc4

2.9.0rc5

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7