#VU36808 Command Injection in Ansible
Vulnerability identifier: #VU36808
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-77
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Ansible
Server applications /
Remote management servers, RDP, SSH
Vendor: Red Hat Inc.
Description
The vulnerability allows a remote privileged user to execute arbitrary code.
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Mitigation
Install update from vendor's website.
Vulnerable software versions
Ansible: 2.0.0 - 2.0.2.0-1, 2.1.0 - 2.1.6.0-1
External links
http://www.securityfocus.com/bid/94109
http://access.redhat.com/errata/RHSA-2016:2778
http://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
