CVE-2018-10874
arbitrary code execution vulnerability in ansible (PyPI)
What is CVE-2018-10874 About?
This vulnerability in Ansible allows arbitrary code execution due to inventory variables being loaded from the current working directory during ad-hoc commands. An attacker can control these variables to execute malicious code. This is an easy-to-exploit vulnerability if an attacker can control the working directory.
Affected Software
- ansible
- >=2.6, <2.6.1
- <2.4.6.0
- >=2.5, <2.5.6
Technical Details
When Ansible executes ad-hoc commands, it implicitly loads inventory variables from the current working directory. If an attacker can control the current working directory from which an Ansible ad-hoc command is run, they can place malicious files (e.g., Python scripts or YAML files with crafted variables) that Ansible will then load and execute as part of its inventory processing. This allows the attacker to inject and run arbitrary code on the system executing the Ansible command, leveraging the privileges of the Ansible process.
What is the Impact of CVE-2018-10874?
Successful exploitation may allow attackers to execute arbitrary code with the privileges of the Ansible process, leading to full system compromise, data manipulation, or denial of service.
What is the Exploitability of CVE-2018-10874?
Exploitation of this vulnerability is of low complexity. It requires an attacker to control the current working directory from which Ansible ad-hoc commands are invoked. No authentication to Ansible itself is explicitly mentioned as a prerequisite for loading variables, but the attacker needs to be able to influence the execution context (e.g., by being a local user or achieving initial compromise that allows them to manipulate the current directory). This can be a local or potentially remote vulnerability if an attacker can influence the working directory via a remote execution vector. The key risk factor is the implicit loading of variables from the current working directory, making it vulnerable to poisoned local environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-10874?
Available Upgrade Options
- ansible
- <2.4.6.0 → Upgrade to 2.4.6.0
- ansible
- >=2.5, <2.5.6 → Upgrade to 2.5.6
- ansible
- >=2.6, <2.6.1 → Upgrade to 2.6.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/security/cve/CVE-2018-10874
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874
- https://access.redhat.com/errata/RHSA-2018:2321
- https://access.redhat.com/errata/RHSA-2018:2150
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-81.yaml
- https://access.redhat.com/errata/RHSA-2018:2585
- https://access.redhat.com/errata/RHSA-2018:2152
- https://access.redhat.com/errata/RHSA-2018:2166
- https://access.redhat.com/errata/RHSA-2018:2151
What are Similar Vulnerabilities to CVE-2018-10874?
Similar Vulnerabilities: CVE-2023-49276 , CVE-2023-49277 , CVE-2023-49278 , CVE-2023-49279 , CVE-2023-49280
