{
  "threat_severity" : "Moderate",
  "public_date" : "2019-06-04T00:00:00Z",
  "bugzilla" : {
    "description" : "ansible: unsafe template evaluation of returned module data can lead to information disclosure",
    "id" : "1717311",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1717311"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.6",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-200",
  "details" : [ "A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.", "A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed." ],
  "acknowledgement" : "Red Hat would like to thank Ichiko Sakamoto (Solution Innovators) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Engine 2.6 for RHEL 7",
    "release_date" : "2019-07-09T00:00:00Z",
    "advisory" : "RHSA-2019:1707",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.6::el7",
    "package" : "ansible-0:2.6.18-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7",
    "release_date" : "2019-07-09T00:00:00Z",
    "advisory" : "RHSA-2019:1705",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7",
    "package" : "ansible-0:2.7.12-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7",
    "release_date" : "2019-07-09T00:00:00Z",
    "advisory" : "RHSA-2019:1708",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7",
    "package" : "ansible-0:2.8.2-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8",
    "release_date" : "2019-07-09T00:00:00Z",
    "advisory" : "RHSA-2019:1708",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8",
    "package" : "ansible-0:2.8.2-1.el8ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 7",
    "release_date" : "2019-07-09T00:00:00Z",
    "advisory" : "RHSA-2019:1706",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el7",
    "package" : "ansible-0:2.8.2-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 8",
    "release_date" : "2019-07-09T00:00:00Z",
    "advisory" : "RHSA-2019:1706",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el8",
    "package" : "ansible-0:2.8.2-1.el8ae"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2019-11-07T00:00:00Z",
    "advisory" : "RHSA-2019:3789",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "ansible-0:2.6.19-1.el7ae"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14.0 (Rocky)",
    "release_date" : "2019-11-06T00:00:00Z",
    "advisory" : "RHSA-2019:3744",
    "cpe" : "cpe:/a:redhat:openstack:14::el7",
    "package" : "ansible-0:2.6.19-1.el7ae"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.2",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.3",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10156\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10156" ],
  "name" : "CVE-2019-10156",
  "csaw" : false
}