CVE-2018-10875

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Published: Jul 14, 2018
Updated: Apr 13, 2023
CVE: CVE-2018-10875
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Low
Score: 4.6
AV:L/AC:L/Au:N/C:P/I:P/A:P

CWEs:

CWE-426

Affected Software
References

Software	From	Fixed in
redhat / openshift	3.0	3.0.x
redhat / virtualization_host	4.0	4.0.x
redhat / virtualization	4.0	4.0.x
redhat / ceph_storage	3.0	3.0.x
redhat / ansible_engine	2.5	2.5.x
redhat / ansible_engine	2.0	2.0.x
redhat / ansible_engine	2.4	2.4.x
redhat / ansible_engine	2.6	2.6.x
redhat / openstack	10	10.x
redhat / ceph_storage	2.0	2.0.x
redhat / openstack	12	12.x
redhat / gluster_storage	3.0.0	3.0.0.x
redhat / openstack	13	13.x
debian / debian_linux	9.0	9.0.x
debian / debian_linux	8.0	8.0.x
canonical / ubuntu_linux	16.04	16.04.x
canonical / ubuntu_linux	18.04	18.04.x
canonical / ubuntu_linux	19.04	19.04.x

Vulnerability Database

289,599

CVE-2018-10875