PYSEC-2018-38 — Vulnetix

PYSEC-2018-38 PUBLISHED CVSS 9.300000190734863 CRITICAL

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

Risk Scores

CVSS v4.0

9.300000190734863

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

Vendor	Product	Versions
PyPI	ansible	0, 1.1, 1.2

Timeline

Jul 31, 2018 CVE Published
Nov 8, 2023 CVE Updated
May 1, 2026 Distribution Patch
May 1, 2026 Security Advisory

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628 report
http://www.securityfocus.com/bid/94109 url
https://github.com/advisories/GHSA-jg4f-jqm5-4mgq advisory
https://access.redhat.com/errata/RHSA-2016:2778 advisory

Open in Interactive Console →