Arbitrary Code Execution Affecting ansible package, versions [,1.6.7)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.82% (82nd
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ANSIBLE-1924992
- published 24 Nov 2021
- disclosed 18 Feb 2020
- credit Unknown
Introduced: 18 Feb 2020
CVE-2014-4967 Open this link in a new tabHow to fix?
Upgrade ansible
to version 1.6.7 or higher.
Overview
ansible is a simple IT automation system.
Affected versions of this package are vulnerable to Arbitrary Code Execution via arguments that are not sanitized, which in turn allows remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted Ansible fact, for example: (1) a trailing src=
clause, (2) a trailing temp=
clause, or (3) a trailing validate=
clause accompanied by a shell command.