Fluid Attacks Database

Description

ansible-runner vulnerable to shell command injection A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
pypi	ansible-runner	>=0 <2.1.0	2.1.0
debian 13	ansible-runner	>=0 <2.1.1-1	2.1.1-1
debian 12	ansible-runner	>=0 <2.1.1-1	2.1.1-1
debian 14	ansible-runner	>=0 <2.1.1-1	2.1.1-1

Aliases

1. CVE-2021-40412. NVD-2021-40413. OSV-2021-40414. OSV-DEBIAN-2021-40415. GHSA-6j58-grhv-27696. GCVE-2021-40417. ACCESS-CVE-2021-40418. SECURITY-TRACKER-CVE-2021-4041

References

1. https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd2. https://bugzilla.redhat.com/show_bug.cgi?id=20280743. https://github.com/pypa/advisory-database/tree/main/vulns/ansible-runner/PYSEC-2022-253.yaml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.