CVE-2018-10874: Ansible Improper Input Validation vulnerability
7.8
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.19271%
CWE
Published
5/13/2022
Updated
9/9/2024
KEV Status
No
Technology
Python
Technical Details
CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ansible | pip | >= 0, < 2.4.6.0 | 2.4.6.0 |
ansible | pip | >= 2.5, < 2.5.6 | 2.5.6 |
ansible | pip | >= 2.6, < 2.6.1 | 2.6.1 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from two key points:
- VariableManager's get_vars method used the loader's basedir (which defaults to CWD) for variable loading without safety checks
- The CLI's _play_prereqs function failed to enforce safe_basedir restrictions for ad-hoc commands
The patch adds 'safe_basedir' checks in both locations:
- In VariableManager, only sets basedirs when safe_basedir=True
- In CLI initialization, properly sets safe_basedir based on whether a base directory was explicitly specified
These code changes directly correlate with the CVE description about improper input validation of inventory source locations.