Main Vulnerability Database Vulnerabilities #VU36808

Command Injection in Ansible - CVE-2016-8628

Published: July 31, 2018 / Updated: August 8, 2020

Vulnerability identifier: #VU36808

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:U/U:Amber

CVE-ID: CVE-2016-8628

CWE-ID: CWE-77

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a remote privileged user to execute arbitrary code.

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

How to mitigate CVE-2016-8628

Install update from vendor's website.

Sources

http://www.securityfocus.com/bid/94109
https://access.redhat.com/errata/RHSA-2016:2778
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628

Command Injection in Ansible - CVE-2016-8628

Detailed vulnerability description

How to mitigate CVE-2016-8628

Sources

Please verify you're human