x/vulndb: potential Go vuln in github.com/ansible/ansible: CVE-2019-10156

[tatianab]

CVE-2019-10156 references github.com/ansible/ansible, which may be a Go module.

Description:
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

References:

• NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-10156
• web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
• fix: safe_eval fix ansible/ansible#57188
• web: https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
• web: https://access.redhat.com/errata/RHSA-2019:3744
• web: https://access.redhat.com/errata/RHSA-2019:3789
• web: https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
• web: https://www.debian.org/security/2021/dsa-4950
• Imported by: https://pkg.go.dev/github.com/ansible/ansible?tab=importedby

Cross references:
No existing reports found with this module or alias.

See doc/triage.md for instructions on how to triage this report.

modules:
    - module: github.com/ansible/ansible
      vulnerable_at: 2.15.5+incompatible
      packages:
        - package: ansible
cves:
    - CVE-2019-10156
references:
    - web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10156
    - fix: https://github.com/ansible/ansible/pull/57188
    - web: https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
    - web: https://access.redhat.com/errata/RHSA-2019:3744
    - web: https://access.redhat.com/errata/RHSA-2019:3789
    - web: https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
    - web: https://www.debian.org/security/2021/dsa-4950

[gopherbot]

Change https://go.dev/cl/540721 mentions this issue: data/excluded: batch add 135 excluded reports