High severity7.8NVD Advisory· Published Jul 2, 2018· Updated Jun 17, 2026
CVE-2018-10874
CVE-2018-10874
Description
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | < 2.4.6.0 | 2.4.6.0 |
ansiblePyPI | >= 2.5, < 2.5.6 | 2.5.6 |
ansiblePyPI | >= 2.6, < 2.6.1 | 2.6.1 |
Affected products
37- ghsa-coords37 versionspkg:pypi/ansiblepkg:rpm/opensuse/ansible&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/dracut-saltboot&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/golang-github-prometheus-promu&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/POS_Image-Graphical7&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/POS_Image-JeOS7&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/spacecmd&distro=openSUSE%20Leap%2015.5pkg:rpm/suse/ansible&distro=HPE%20Helion%20OpenStack%208pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/ansible&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/ansible&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%20Crowbar%208pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/dracut-saltboot&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-prometheus-node_exporter&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205pkg:rpm/suse/golang-github-prometheus-promu&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Package%20Hub%2015%20SP5pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/grafana&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/mgr-daemon&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/POS_Image-Graphical7&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/POS_Image-Graphical7&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/POS_Image-JeOS7&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/POS_Image-JeOS7&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacecmd&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/spacewalk-client-tools&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/spacewalk-koan&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/supportutils-plugin-susemanager-client&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-common-libs&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%2015pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Client%20Tools%20for%20SLE%20Micro%205pkg:rpm/suse/uyuni-proxy-systemd-services&distro=SUSE%20Manager%20Proxy%20Module%204.3pkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%2015-BETApkg:rpm/suse/uyuni-tools&distro=SUSE%20Manager%20Client%20Tools%20Beta%20for%20SLE%20Micro%205
< 2.4.6.0+ 36 more
- (no CPE)range: < 2.4.6.0
- (no CPE)range: < 2.9.27-150000.1.17.2
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.53.2
- (no CPE)range: < 0.14.0-150000.3.18.2
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.21.2
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.21.2
- (no CPE)range: < 4.3.27-150000.3.116.2
- (no CPE)range: < 2.4.6.0-3.3.1
- (no CPE)range: < 2.9.27-150000.1.17.2
- (no CPE)range: < 2.9.27-159000.3.12.2
- (no CPE)range: < 2.9.27-150000.1.17.2
- (no CPE)range: < 2.4.6.0-3.3.1
- (no CPE)range: < 2.4.6.0-3.3.1
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.53.2
- (no CPE)range: < 0.1.1710765237.46af599-159000.3.33.2
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.53.2
- (no CPE)range: < 1.5.0-159000.6.2.1
- (no CPE)range: < 0.14.0-150000.3.18.2
- (no CPE)range: < 9.5.18-150000.1.63.2
- (no CPE)range: < 9.5.16-159000.4.30.2
- (no CPE)range: < 4.3.9-150000.1.47.2
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.21.2
- (no CPE)range: < 0.1.1710765237.46af599-159000.3.24.2
- (no CPE)range: < 0.1.1710765237.46af599-150000.1.21.2
- (no CPE)range: < 0.1.1710765237.46af599-159000.3.24.2
- (no CPE)range: < 4.3.27-150000.3.116.2
- (no CPE)range: < 5.0.5-159000.6.48.2
- (no CPE)range: < 4.3.19-150000.3.89.2
- (no CPE)range: < 5.0.4-159000.6.54.2
- (no CPE)range: < 4.3.6-150000.3.33.2
- (no CPE)range: < 5.0.3-159000.6.21.2
- (no CPE)range: < 4.3.10-150000.1.39.2
- (no CPE)range: < 4.3.12-150000.1.21.2
- (no CPE)range: < 4.3.12-150000.1.21.2
- (no CPE)range: < 4.3.12-150000.1.21.2
- (no CPE)range: < 0.1.7-159000.3.8.1
- (no CPE)range: < 0.1.7-159000.3.8.1
Patches
Vulnerability mechanics
References
22- www.securitytracker.com/id/1041396nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHBA-2018:3788nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2150nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2151nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2152nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2166nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2321nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2018:2585nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2019:0054nvdVendor AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingVendor AdvisoryWEB
- github.com/advisories/GHSA-3xvg-x47j-x75wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2018-10874ghsaADVISORY
- access.redhat.com/security/cve/CVE-2018-10874ghsaWEB
- bugzilla.redhat.com/show_bug.cgighsaWEB
- github.com/ansible/ansible/commit/10d6fe6c98cfee9a7be0fea6102ba5dec951aec7ghsaWEB
- github.com/ansible/ansible/commit/1f80949f964a946773f9d3ac1899535bd2cc2b8eghsaWEB
- github.com/ansible/ansible/commit/44874addc7ea136f83c67d5869047ece02645fdbghsaWEB
- github.com/ansible/ansible/pull/42067ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-81.yamlghsaWEB
- usn.ubuntu.com/4072-1ghsaWEB
- web.archive.org/web/20201130165946/http://www.securitytracker.com/id/1041396ghsaWEB
- usn.ubuntu.com/4072-1/nvd
News mentions
0No linked articles in our index yet.