Arbitrary Command Execution Affecting ansible package, versions [2.7.0,2.7.17) [2.8.0,2.8.11) [2.9.0,2.9.7)
Snyk CVSS
Attack Complexity
Low
Confidentiality
High
Integrity
High
Availability
High
Threat Intelligence
EPSS
0.04% (13th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-PYTHON-ANSIBLE-559165
- published 4 Mar 2020
- disclosed 3 Mar 2020
- credit Damien Aumaitre, Nicolas Surbayrole
How to fix?
Upgrade ansible
to version 2.7.17, 2.8.11, 2.9.7 or higher.
Overview
ansible is a simple IT automation system.
Affected versions of this package are vulnerable to Arbitrary Command Execution. The pipe lookup plugin uses shell=True
by default. If a variable is passed to the pipe lookup, that variable could be overridden via facts, leading to arbitrary code execution.
Note The maintainer disputes this vulnerability