Candidate: CVE-2019-3828
PublicDate: 2019-03-27 13:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-3828
 https://bugzilla.redhat.com/show_bug.cgi?id=1676689
Description:
 Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path
 traversal vulnerability which allows copying and overwriting files outside
 of the specified destination in the local ansible controller host, by not
 restricting an absolute path.
Ubuntu-Description:
Notes:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N [4.2 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N [10.0 CRITICAL]


Patches_ansible:
upstream_ansible: needs-triage
precise/esm_ansible: DNE
trusty_ansible: ignored (out of standard support)
trusty/esm_ansible: not-affected (code not present)
xenial_ansible: not-affected (code not present)
bionic_ansible: released (2.5.1+dfsg-1ubuntu0.1)
cosmic_ansible: ignored (reached end-of-life)
disco_ansible: not-affected (2.7.7+dfsg-1)
devel_ansible: not-affected (2.7.7+dfsg-1)