{"api_version":"1","generated_at":"2026-04-23T05:57:54+00:00","cve":"CVE-2019-10156","urls":{"html":"https://cve.report/CVE-2019-10156","api":"https://cve.report/api/cve/CVE-2019-10156.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2019-10156","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2019-10156"},"summary":{"title":"CVE-2019-10156","description":"A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.","state":"PUBLIC","assigner":"secalert@redhat.com","published_at":"2019-07-30 23:15:00","updated_at":"2022-04-19 15:36:00"},"problem_types":["CWE-200"],"metrics":[],"references":[{"url":"https://access.redhat.com/errata/RHSA-2019:3789","name":"RHSA-2019:3789","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html","name":"[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update","refsource":"MLIST","tags":["Mailing List","Third Party Advisory"],"title":"[SECURITY] [DLA 2535-1] ansible security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html","name":"[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update","refsource":"MLIST","tags":["Vendor Advisory"],"title":"[SECURITY] [DLA 1923-1] ansible security update","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156","refsource":"CONFIRM","tags":["Issue Tracking","Vendor Advisory"],"title":"1717311 – (CVE-2019-10156) CVE-2019-10156 ansible: unsafe template evaluation of returned module data can lead to information disclosure","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.debian.org/security/2021/dsa-4950","name":"DSA-4950","refsource":"DEBIAN","tags":[],"title":"Debian -- Security Information -- DSA-4950-1 ansible","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://access.redhat.com/errata/RHSA-2019:3744","name":"RHSA-2019:3744","refsource":"REDHAT","tags":["Vendor Advisory"],"title":"Red Hat Customer Portal","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://github.com/ansible/ansible/pull/57188","name":"https://github.com/ansible/ansible/pull/57188","refsource":"CONFIRM","tags":["Patch","Third Party Advisory"],"title":"safe_eval fix by bcoca · Pull Request #57188 · ansible/ansible · GitHub","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2019-10156","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2019-10156","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"9.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"o","cpe4":"debian","cpe5":"debian_linux","cpe6":"8.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"ansible","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"13","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"13.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"14","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"14.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"13.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"},{"cve_year":"2019","cve_id":"10156","vulnerable":"1","versionEndIncluding":"1","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"redhat","cpe5":"openstack","cpe6":"14.0","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"*","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[{"cve":"CVE-2019-10156","qid":"178744","title":"Debian Security Update for ansible (DSA 4950-1)"},{"cve":"CVE-2019-10156","qid":"500003","title":"Alpine Linux Security Update for ansible"},{"cve":"CVE-2019-10156","qid":"501344","title":"Alpine Linux Security Update for ansible-base"},{"cve":"CVE-2019-10156","qid":"981347","title":"Python (pip) Security Update for ansible (GHSA-grgm-pph5-j5h7)"}]},"source_records":{"cve_program":{"data_type":"CVE","data_format":"MITRE","data_version":"4.0","CVE_data_meta":{"ID":"CVE-2019-10156","ASSIGNER":"secalert@redhat.com","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"vendor_name":"Red Hat","product":{"product_data":[{"product_name":"ansible","version":{"version_data":[{"version_value":"fixed in 2.6.18"},{"version_value":"fixed in 2.7.12"},{"version_value":"fixed in 2.8.2"}]}}]}}]}},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"CWE-200"}]}]},"references":{"reference_data":[{"url":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156","name":"https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156","refsource":"CONFIRM"},{"url":"https://github.com/ansible/ansible/pull/57188","name":"https://github.com/ansible/ansible/pull/57188","refsource":"CONFIRM"},{"refsource":"MLIST","name":"[debian-lts-announce] 20190916 [SECURITY] [DLA 1923-1] ansible security update","url":"https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html"},{"refsource":"REDHAT","name":"RHSA-2019:3744","url":"https://access.redhat.com/errata/RHSA-2019:3744"},{"refsource":"REDHAT","name":"RHSA-2019:3789","url":"https://access.redhat.com/errata/RHSA-2019:3789"},{"refsource":"MLIST","name":"[debian-lts-announce] 20210127 [SECURITY] [DLA 2535-1] ansible security update","url":"https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html"},{"refsource":"DEBIAN","name":"DSA-4950","url":"https://www.debian.org/security/2021/dsa-4950"}]},"description":{"description_data":[{"lang":"eng","value":"A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed."}]},"impact":{"cvss":[[{"vectorString":"4.6/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N","version":"3.0"}]]}},"nvd":{"publishedDate":"2019-07-30 23:15:00","lastModifiedDate":"2022-04-19 15:36:00","problem_types":["CWE-200"],"metrics":{"baseMetricV3":{"cvssV3":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"LOW","integrityImpact":"LOW","availabilityImpact":"NONE","baseScore":5.4,"baseSeverity":"MEDIUM"},"exploitabilityScore":2.8,"impactScore":2.5},"baseMetricV2":{"cvssV2":{"version":"2.0","vectorString":"AV:N/AC:L/Au:S/C:P/I:P/A:N","accessVector":"NETWORK","accessComplexity":"LOW","authentication":"SINGLE","confidentialityImpact":"PARTIAL","integrityImpact":"PARTIAL","availabilityImpact":"NONE","baseScore":5.5},"severity":"MEDIUM","exploitabilityScore":8,"impactScore":4.9,"acInsufInfo":false,"obtainAllPrivilege":false,"obtainUserPrivilege":false,"obtainOtherPrivilege":false,"userInteractionRequired":false}},"configurations":{"CVE_data_version":"4.0","nodes":[{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*","versionStartIncluding":"2.8.0","versionEndExcluding":"2.8.2","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*","versionStartIncluding":"2.7.0","versionEndExcluding":"2.7.12","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*","versionEndExcluding":"2.6.18","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*","cpe_name":[]}]},{"operator":"OR","children":[],"cpe_match":[{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*","cpe_name":[]},{"vulnerable":true,"cpe23Uri":"cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*","cpe_name":[]}]}]}},"legacy_mitre":{"record":{"CveYear":"2019","CveId":"10156","Ordinal":"148373","Title":"CVE-2019-10156","CVE":"CVE-2019-10156","Year":"2019"},"notes":[{"CveYear":"2019","CveId":"10156","Ordinal":"1","NoteData":"A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.","Type":"Description","Title":null},{"CveYear":"2019","CveId":"10156","Ordinal":"2","NoteData":"2019-07-30","Type":"Other","Title":"Published"},{"CveYear":"2019","CveId":"10156","Ordinal":"3","NoteData":"2021-08-07","Type":"Other","Title":"Modified"}]}}}