CVE-2016-8628

Aliases:GHSA-jg4f-jqm5-4mgqPYSEC-2018-38

Advisory lineage Upstream: 0 Downstream: 7

Downstream

DEBIAN-CVE-2016-8628 OPENSUSE-SU-2017:2976-1 OPENSUSE-SU-2017:2978-1 RHSA-2016:2778 SUSE-SU-2020:3309-1 SUSE-SU-2024:1509-1

Modified

Published: 31 Jul 2018, 20:00

Last modified:06 Aug 2024, 02:27

Vulnerability Summary

Overall Risk (default)

high

70/100

CVSS Score

9.1 CRITICAL

v3.0 (nvd)

EPSS Score

0.46% LOW

0% probability +0.01%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

31 Jul 2018, 20:00

Published

Vulnerability first disclosed

06 Aug 2024, 02:27

Last Modified

Vulnerability information updated

Description

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

CVSS Metrics

v4.0•CRITICAL•Score: 9.4CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
v3.0•HIGH•Score: 7.6CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
v3.0•CRITICAL•Score: 9.1CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
v2.0•HIGH•Score: 9AV:N/AC:L/Au:S/C:C/I:C/A:C

EPSS Trends

Current EPSS score: 0.46%• Percentile: 64%

Techniques & Countermeasures

CWE-77•Improper Neutralization of Special Elements used in a Command ('Command Injection')
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

Affected Systems

PyPI•ansible
< 2.2.0.0
red hat•ansible
2.2.0
redhat•ansible
< 2.2.0