Fluid Attacks Database

Description

Ansible Arbitrary Code Execution Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1
pypi	ansible	>=0 <1.6.7	1.6.7
debian 12	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1
debian 11	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1
debian 13	ansible	>=0 <1.6.8+dfsg-1	1.6.8+dfsg-1

Aliases

1. CVE-2014-49672. NVD-2014-49673. OSV-DEBIAN-2014-49674. OSV-2014-49675. GCVE-2014-49676. SECURITY-TRACKER-CVE-2014-4967

References

1. https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab325272. https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-205.yaml3. http://www.ocert.org/advisories/ocert-2014-004.html

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.