CVE-2019-10156
ansible - security update
5.4
MEDIUM
CVSS 3.1
EPSS 0.59%
Description
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
How to fix CVE-2019-10156
To remediate CVE-2019-10156, upgrade the affected package to a fixed version below.
- —upgrade to 2.8.2-r0 or later
- —upgrade to 2.8.2-r0 or later
- —upgrade to 2.8.3+dfsg-1 or later
- —upgrade to 2.7.7+dfsg-1+deb10u1 or later
- —upgrade to 2.6.18 or later
- —upgrade to 2.6.18 or later
Is CVE-2019-10156 being exploited?
Low — EPSS is 0.6%, meaning exploitation activity has not been observed at scale.
Affected packages (6)
- from 0, < 2.8.2-r0
- from 0, < 2.8.2-r0
- from 0, < 2.8.3+dfsg-1
- from 0, < 2.7.7+dfsg-1+deb10u1
- from 0, < 2.6.18
- from 0, < 2.6.18, >= 2.7.0, < 2.7.12, >= 2.8.0, < 2.8.2
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |