Fluid Attacks Database

Description

Ansible Arbitrary Code Execution Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ansible	>=0 <1.6.7	1.6.7
debian 11	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1
debian 14	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1
debian 12	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1
debian 13	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1

Aliases

1. CVE-2014-49662. NVD-2014-49663. OSV-2014-49664. OSV-DEBIAN-2014-49665. GCVE-2014-49666. SECURITY-TRACKER-CVE-2014-4966

References

1. https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab325272. https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-204.yaml3. http://www.ocert.org/advisories/ocert-2014-004.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.