VDB
PYSEC-2018-39
PYSEC-2018-39
PUBLISHED
CVSS 9.300000190734863 CRITICAL
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Risk Scores
CVSS v4.0
9.300000190734863
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| PyPI | ansible | 1.2.1, 0, 2.2.0.0 |
Timeline
- Apr 24, 2018 CVE Published
- Nov 8, 2023 CVE Updated
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Distribution Patch
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
- May 1, 2026 Security Advisory
References
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587 report
- http://www.securityfocus.com/bid/95352 url
- http://rhn.redhat.com/errata/RHSA-2017-0260.html advisory
- http://rhn.redhat.com/errata/RHSA-2017-0195.html advisory
- https://github.com/advisories/GHSA-m956-frf4-m2wr advisory
- https://www.exploit-db.com/exploits/41013/ exploit
- https://security.gentoo.org/glsa/201701-77 advisory
- https://access.redhat.com/errata/RHSA-2017:1685 advisory
- https://access.redhat.com/errata/RHSA-2017:0515 advisory
- https://access.redhat.com/errata/RHSA-2017:0448 advisory