#VU36808 Command Injection in Ansible - CVE-2016-8628
Published: July 31, 2018 / Updated: August 8, 2020
Vulnerability identifier: #VU36808
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Amber
CVE-ID: CVE-2016-8628
CWE-ID: CWE-77
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Ansible
Ansible
Software vendor:
Red Hat Inc.
Red Hat Inc.
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Remediation
Install update from vendor's website.