CVE-2016-3096: Link Following in ansible
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.26126%
CWE
Published
10/10/2018
Updated
9/4/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ansible | pip | <= 1.9.6.0 | 1.9.6.1 |
ansible | pip | >= 2.0.0.0, <= 2.0.1.0 | 2.0.2.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability description explicitly cites the create_script function in the lxc_container module as the source of insecure temporary file handling. The commit diff shows this function was modified to replace static paths with tempfile.mkstemp(), confirming it previously used predictable paths. The CWE-59 (Link Following) mapping and patch message ('do not use predictable filenames') directly implicate this function's original implementation.