Search for vulnerabilities
Vulnerability details: VCID-2ncp-ksvc-f3e4
Vulnerability ID VCID-2ncp-ksvc-f3e4
Aliases CVE-2019-10156
GHSA-grgm-pph5-j5h7
PYSEC-2019-2
Summary A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3.1 5.4 https://access.redhat.com/errata/RHSA-2019:3744
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2019:3744
cvssv3.1 5.4 https://access.redhat.com/errata/RHSA-2019:3789
generic_textual MODERATE https://access.redhat.com/errata/RHSA-2019:3789
cvssv3 4.6 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10156.json
epss 0.00524 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.00524 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
epss 0.0063 https://api.first.org/data/v1/epss?cve=CVE-2019-10156
cvssv3.1 5.4 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
generic_textual MODERATE https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
cvssv3 4.6 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.4 https://github.com/advisories/GHSA-grgm-pph5-j5h7
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-grgm-pph5-j5h7
generic_textual MODERATE https://github.com/advisories/GHSA-grgm-pph5-j5h7
cvssv3.1 5.4 https://github.com/ansible/ansible
generic_textual MODERATE https://github.com/ansible/ansible
cvssv3.1 5.4 https://github.com/ansible/ansible/commit/04e94274fb92e116e9082cc9b86b1fd05c836922
generic_textual MODERATE https://github.com/ansible/ansible/commit/04e94274fb92e116e9082cc9b86b1fd05c836922
cvssv3.1 5.4 https://github.com/ansible/ansible/commit/3ff6505e8ff0e4655bab008886983476ef903375
generic_textual MODERATE https://github.com/ansible/ansible/commit/3ff6505e8ff0e4655bab008886983476ef903375
cvssv3.1 5.4 https://github.com/ansible/ansible/commit/a11c3edfa41e7e4a4db323cdabfc2eae1b61da2a
generic_textual MODERATE https://github.com/ansible/ansible/commit/a11c3edfa41e7e4a4db323cdabfc2eae1b61da2a
cvssv3.1 5.4 https://github.com/ansible/ansible/pull/57188
generic_textual MODERATE https://github.com/ansible/ansible/pull/57188
cvssv3.1 5.4 https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-2.yaml
generic_textual MODERATE https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-2.yaml
cvssv3.1 5.4 https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
cvssv3.1 5.4 https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
cvssv2 5.5 https://nvd.nist.gov/vuln/detail/CVE-2019-10156
cvssv3.1 5.4 https://nvd.nist.gov/vuln/detail/CVE-2019-10156
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2019-10156
cvssv3.1 5.4 https://www.debian.org/security/2021/dsa-4950
generic_textual MODERATE https://www.debian.org/security/2021/dsa-4950
Reference id Reference type URL
https://access.redhat.com/errata/RHSA-2019:3744
https://access.redhat.com/errata/RHSA-2019:3789
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10156.json
https://api.first.org/data/v1/epss?cve=CVE-2019-10156
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10206
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14846
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14864
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14904
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10684
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10685
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10729
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14330
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14332
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14365
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1735
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1739
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1746
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1753
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-20228
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/advisories/GHSA-grgm-pph5-j5h7
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/04e94274fb92e116e9082cc9b86b1fd05c836922
https://github.com/ansible/ansible/commit/3ff6505e8ff0e4655bab008886983476ef903375
https://github.com/ansible/ansible/commit/a11c3edfa41e7e4a4db323cdabfc2eae1b61da2a
https://github.com/ansible/ansible/pull/57188
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-2.yaml
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
https://nvd.nist.gov/vuln/detail/CVE-2019-10156
https://www.debian.org/security/2021/dsa-4950
1717311 https://bugzilla.redhat.com/show_bug.cgi?id=1717311
930065 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=930065
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:redhat:openstack:14:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:* https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
RHSA-2019:1705 https://access.redhat.com/errata/RHSA-2019:1705
RHSA-2019:1706 https://access.redhat.com/errata/RHSA-2019:1706
RHSA-2019:1707 https://access.redhat.com/errata/RHSA-2019:1707
RHSA-2019:1708 https://access.redhat.com/errata/RHSA-2019:1708
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2019:3744
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://access.redhat.com/errata/RHSA-2019:3789
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-10156.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-grgm-pph5-j5h7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/ansible/ansible
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/ansible/ansible/commit/04e94274fb92e116e9082cc9b86b1fd05c836922
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/ansible/ansible/commit/3ff6505e8ff0e4655bab008886983476ef903375
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/ansible/ansible/commit/a11c3edfa41e7e4a4db323cdabfc2eae1b61da2a
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/ansible/ansible/pull/57188
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-2.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: AV:N/AC:L/Au:S/C:P/I:P/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10156
Exploitability (E) Access Vector (AV) Access Complexity (AC) Authentication (Au) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

high

functional

unproven

proof_of_concept

not_defined

local

adjacent_network

network

high

medium

low

multiple

single

none

none

partial

complete

none

partial

complete

none

partial

complete
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2019-10156
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N Found at https://www.debian.org/security/2021/dsa-4950
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.65975
EPSS Score 0.00524
Published At July 30, 2025, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2025-07-31T08:07:44.116287+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/ansible/PYSEC-2019-2.yaml 37.0.0