High severity7.8NVD Advisory· Published Jun 3, 2016· Updated Jun 17, 2026
CVE-2016-3096
CVE-2016-3096
Description
The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.0.0.0, < 2.0.2.0 | 2.0.2.0 |
ansiblePyPI | < 1.9.6.1 | 1.9.6.1 |
Affected products
13cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:o:fedoraproject:fedora:22:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:23:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:24:*:*:*:*:*:*:*
- ghsa-coords7 versionspkg:pypi/ansiblepkg:rpm/opensuse/ansible-10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-12&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-13&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-9&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible&distro=openSUSE%20Tumbleweed
>= 2.0.0.0, < 2.0.2.0+ 6 more
- (no CPE)range: >= 2.0.0.0, < 2.0.2.0
- (no CPE)range: < 10.6.0-1.1
- (no CPE)range: < 11.11.0-1.1
- (no CPE)range: < 12.2.0-1.1
- (no CPE)range: < 13.7.0-1.1
- (no CPE)range: < 9.8.0-1.1
- (no CPE)range: < 2.2.0.0-1.1
Patches
Vulnerability mechanics
References
19- github.com/ansible/ansible-modules-extras/pull/1941nvdPatchWEB
- github.com/ansible/ansible-modules-extras/pull/1941/commits/8c6fe646ee79f5e55361b885b7efed5bec72d4a4nvdPatch
- github.com/ansible/ansible/blob/v2.0.2.0-1/CHANGELOG.mdnvdPatchWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-April/183103.htmlnvdThird Party AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-April/183132.htmlnvdVendor AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-April/183252.htmlnvdVendor AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-April/183274.htmlnvdVendor AdvisoryWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-May/184175.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-rh6x-qvg7-rrmjghsaADVISORY
- github.com/ansible/ansible/blob/v1.9.6-1/CHANGELOG.mdnvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2016-3096ghsaADVISORY
- security.gentoo.org/glsa/201607-14nvdThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingWEB
- github.com/ansible/ansible-modules-extras/commit/7c3999a92a1cd856ff9bc8913a93ff1aee8bffc3ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2016-1.yamlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/nvdWEB
- groups.google.com/forum/nvdWEB
News mentions
0No linked articles in our index yet.