Fluid Attacks Database

Description

Ansible Arbitrary Code Execution Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ansible	>=0 <2.2.1.0-2	2.2.1.0-2
debian 12	ansible	>=0 <2.2.1.0-2	2.2.1.0-2
pypi	ansible	>=0 <2.2.3.0	2.2.3.0
debian 14	ansible	>=0 <2.2.1.0-2	2.2.1.0-2
debian 13	ansible	>=0 <2.2.1.0-2	2.2.1.0-2

Aliases

1. CVE-2017-74662. NVD-2017-74663. OSV-DEBIAN-2017-74664. OSV-2017-74665. GCVE-2017-74666. SECURITY-TRACKER-CVE-2017-74667. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. access.redhat.com

References

1. https://github.com/ansible/ansible/issues/241862. https://github.com/ansible/ansible/commit/0d418789a298561fded9bce977d34babc90970793. https://github.com/ansible/ansible/commit/7ff9fa52cfcef2065f0db80d85dd94b9b754839c4. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-74665. https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-40.yaml6. https://web.archive.org/web/20170701161323/http://www.securityfocus.com/bid/97595

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.