Main Vulnerability Database Vulnerabilities #VU30363

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Ansible - CVE-2014-4967

Published: February 18, 2020 / Updated: July 17, 2020

Vulnerability identifier: #VU30363

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2014-4967

CWE-ID: CWE-74

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command.

How to mitigate CVE-2014-4967

Install update from vendor's website.

Improper Neutralization of Special Elements in Output Used by a Downstream Component in Ansible - CVE-2014-4967

Detailed vulnerability description

How to mitigate CVE-2014-4967

Sources

Please verify you're human