Miggo Logo

CVE-2018-10874: Ansible Improper Input Validation vulnerability

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.19271%
Published
5/13/2022
Updated
9/9/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip>= 0, < 2.4.6.02.4.6.0
ansiblepip>= 2.5, < 2.5.62.5.6
ansiblepip>= 2.6, < 2.6.12.6.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key points:

  1. VariableManager's get_vars method used the loader's basedir (which defaults to CWD) for variable loading without safety checks
  2. The CLI's _play_prereqs function failed to enforce safe_basedir restrictions for ad-hoc commands

The patch adds 'safe_basedir' checks in both locations:

  • In VariableManager, only sets basedirs when safe_basedir=True
  • In CLI initialization, properly sets safe_basedir based on whether a base directory was explicitly specified

These code changes directly correlate with the CVE description about improper input validation of inventory source locations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *nsi*l* it w*s *oun* t**t inv*ntory v*ri**l*s *r* lo**** *rom *urr*nt workin* *ir**tory w**n runnin* **-*o* *omm*n* w*i** *r* un**r *tt**k*r's *ontrol, *llowin* to run *r*itr*ry *o** *s * r*sult.

Reasoning

T** vuln*r**ility st*ms *rom two k*y points: *. V*ri**l*M*n***r's **t_v*rs m*t*o* us** t** lo***r's **s**ir (w*i** ****ults to *W*) *or v*ri**l* lo**in* wit*out s***ty ****ks *. T** *LI's _pl*y_pr*r*qs *un*tion **il** to *n*or** s***_**s**ir r*stri*t