5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10156

GHSA ID

GHSA-grgm-pph5-j5h7

EPSS Score

0.66025%

CWE

CWE-200

Published

7/31/2019

Updated

9/4/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-10156

CVE-2019-10156: Exposure of Sensitive Information to an Unauthorized Actor in ansible

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

(GitHub Advisory)

5.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-10156

GHSA ID

GHSA-grgm-pph5-j5h7

EPSS Score

0.66025%

CWE

CWE-200

Published

7/31/2019

Updated

9/4/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ansible	pip	< 2.6.18	2.6.18
ansible	pip	>= 2.7.0a1, < 2.7.12	2.7.12
ansible	pip	>= 2.8.0a1, < 2.8.2	2.8.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from how Ansible's templating engine handled variable substitution. The key changes in the patch:

Removal of 'locals=self._available_variables' in the safe_eval call (init.py)
Replacement of JSON_TYPES with a restricted OUR_GLOBALS (safe_eval.py)

These changes indicate that the original implementation allowed template evaluation to access arbitrary variables via the 'locals' parameter passed to safe_eval. The vulnerable functions directly participated in this insecure evaluation flow by providing excessive context to the evaluator.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

* *l*w w*s *is*ov*r** in t** w*y *nsi*l* t*mpl*tin* w*s impl*m*nt** in v*rsions ***or* *.*.**, *.*.** *n* *.*.*, **usin* t** possi*ility o* in*orm*tion *is*losur* t*rou** un*xp**t** v*ri**l* su*stitution. *y t*kin* **v*nt*** o* unint*n*** v*ri**l* su

Reasoning

T** vuln*r**ility st*ms *rom *ow *nsi*l*'s t*mpl*tin* *n*in* **n*l** v*ri**l* su*stitution. T** k*y ***n**s in t** p*t**: *. R*mov*l o* 'lo**ls=s*l*._*v*il**l*_v*ri**l*s' in t** s***_*v*l **ll (__init__.py) *. R*pl***m*nt o* JSON_TYP*S wit* * r*stri*

5.4

Basic Information

Concerned about an active attack path?

CVE-2019-10156: Exposure of Sensitive Information to an Unauthorized Actor in ansible

5.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI