{
  "threat_severity" : "Moderate",
  "public_date" : "2019-02-12T00:00:00Z",
  "bugzilla" : {
    "description" : "Ansible: path traversal in the fetch module",
    "id" : "1676689",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1676689"
  },
  "cvss3" : {
    "cvss3_base_score" : "4.2",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-22",
  "details" : [ "Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.", "A path traversal flaw was found in ansible. The fetch module allows copying and overwriting files outside of the specified destination in the local ansible controller host by not restricting an absolute path. The main threat from this vulnerability is to data confidentiality and integrity." ],
  "statement" : "Red Hat CloudForms 4.5 and 4.6 are now in Maintenance Support Phase of the support and maintenance life cycle. This has been rated as having a security impact of Moderate, and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat CloudForms Life Cycle: https://access.redhat.com/support/policy/updates/cloudforms/",
  "acknowledgement" : "Red Hat would like to thank Kevin Backhouse (Semmle Security Research Team) for reporting this issue.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Engine 2.5 for RHEL 7",
    "release_date" : "2019-02-28T00:00:00Z",
    "advisory" : "RHSA-2019:0432",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.5::el7",
    "package" : "ansible-0:2.5.15-1.el7ae",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.6 for RHEL 7",
    "release_date" : "2019-02-28T00:00:00Z",
    "advisory" : "RHSA-2019:0433",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.6::el7",
    "package" : "ansible-0:2.6.14-1.el7ae",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7",
    "release_date" : "2019-02-28T00:00:00Z",
    "advisory" : "RHSA-2019:0431",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7",
    "package" : "ansible-0:2.7.8-1.el7ae",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat Ansible Engine 2 for RHEL 7",
    "release_date" : "2019-02-28T00:00:00Z",
    "advisory" : "RHSA-2019:0430",
    "cpe" : "cpe:/a:redhat:ansible_engine:2::el7",
    "package" : "ansible-0:2.7.8-1.el7ae",
    "impact" : "moderate"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)",
    "release_date" : "2019-11-07T00:00:00Z",
    "advisory" : "RHSA-2019:3789",
    "cpe" : "cpe:/a:redhat:openstack:13::el7",
    "package" : "ansible-0:2.6.19-1.el7ae"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14.0 (Rocky)",
    "release_date" : "2019-11-06T00:00:00Z",
    "advisory" : "RHSA-2019:3744",
    "cpe" : "cpe:/a:redhat:openstack:14::el7",
    "package" : "ansible-0:2.6.19-1.el7ae"
  } ],
  "package_state" : [ {
    "product_name" : "CloudForms Management Engine 5",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:cloudforms_managementengine:5"
  }, {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.2",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.2"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.3",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.3"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.4",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.4"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.5",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.5"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.6",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.6"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 3.7",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openshift:3.7"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-3828\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3828\nhttps://github.com/ansible/ansible/pull/52133" ],
  "name" : "CVE-2019-3828",
  "csaw" : false
}