CVE-2014-3498 – ansible

Package

Manager: pip
Name: ansible
Vulnerable Version: >=0 <1.6.6

Severity

Level: High

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.00548 pctl0.66927

Details

Ansible Arbitrary Code Execution User module in ansible before 1.6.6 is vulnerable to command execution. Ansible can get the result of remote command in variable, which may come from untrusted source of input. If the content of variable isn't properly filtered and when attempting to use the variable, it will trigger a function that passes it through jinja 2 template engine that can result into arbitrary command execution. Under certain circumstances, unprivileged user on system that is being managed via ansible can execute code on the managing host under UID of running ansible process.

Metadata

Created: 2022-05-14T02:03:45Z
Modified: 2024-09-03T21:19:34Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4cvm-5776-jx9f/GHSA-4cvm-5776-jx9f.json
CWE IDs: ["CWE-20"]
Alternative ID: GHSA-4cvm-5776-jx9f
Finding: F184
Auto approve: 1