pysec-2018-40
Vulnerability from pysec
Published
2018-06-22 13:29
Modified
2021-07-02 02:41
Details

Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Aliases


To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "ansible",
        "purl": "pkg:pypi/ansible"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.3.0.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "1.0",
        "1.1",
        "1.2",
        "1.2.1",
        "1.2.2",
        "1.2.3",
        "1.3.0",
        "1.3.1",
        "1.3.2",
        "1.3.3",
        "1.3.4",
        "1.4",
        "1.4.1",
        "1.4.2",
        "1.4.3",
        "1.4.4",
        "1.4.5",
        "1.5",
        "1.5.1",
        "1.5.2",
        "1.5.3",
        "1.5.4",
        "1.5.5",
        "1.6",
        "1.6.1",
        "1.6.10",
        "1.6.2",
        "1.6.3",
        "1.6.4",
        "1.6.5",
        "1.6.6",
        "1.6.7",
        "1.6.8",
        "1.6.9",
        "1.7",
        "1.7.1",
        "1.7.2",
        "1.8",
        "1.8.1",
        "1.8.2",
        "1.8.3",
        "1.8.4",
        "1.9.0",
        "1.9.0.1",
        "1.9.1",
        "1.9.2",
        "1.9.3",
        "1.9.4",
        "1.9.5",
        "1.9.6",
        "2.0.0",
        "2.0.0.0",
        "2.0.0.1",
        "2.0.0.2",
        "2.0.1.0",
        "2.0.2.0",
        "2.1.0.0",
        "2.1.1.0",
        "2.1.2.0",
        "2.1.3.0",
        "2.1.4.0",
        "2.1.5.0",
        "2.1.6.0",
        "2.2.0.0",
        "2.2.1.0",
        "2.2.2.0",
        "2.2.3.0"
      ]
    }
  ],
  "aliases": [
    "CVE-2017-7466"
  ],
  "details": "Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.",
  "id": "PYSEC-2018-40",
  "modified": "2021-07-02T02:41:33.763354Z",
  "published": "2018-06-22T13:29:00Z",
  "references": [
    {
      "type": "REPORT",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2017:1685"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2017:1599"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2017:1499"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2017:1476"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2017:1334"
    },
    {
      "type": "ADVISORY",
      "url": "https://access.redhat.com/errata/RHSA-2017:1244"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/97595"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.