Fluid Attacks Database

Description

Ansible Remote Code Execution The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ansible	>=0 <1.5.4	1.5.4
debian 11	ansible	>=0 <1.5.5+dfsg-1	1.5.5+dfsg-1
debian 12	ansible	>=0 <1.5.5+dfsg-1	1.5.5+dfsg-1
debian 14	ansible	>=0 <1.5.5+dfsg-1	1.5.5+dfsg-1
debian 13	ansible	>=0 <1.5.5+dfsg-1	1.5.5+dfsg-1

Aliases

1. CVE-2014-46572. NVD-2014-46573. OSV-2014-46574. OSV-DEBIAN-2014-46575. GCVE-2014-46576. SECURITY-TRACKER-CVE-2014-4657

References

1. https://github.com/ansible/ansible/commit/998793fd0ab55705d57527a38cee5e83f535974c2. https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md3. https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-199.yaml4. https://web.archive.org/web/20210120133852/https://www.securityfocus.com/bid/68232

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.