GHSA-2pfh-q76x-gwvm

Source

https://github.com/advisories/GHSA-2pfh-q76x-gwvm

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-2pfh-q76x-gwvm/GHSA-2pfh-q76x-gwvm.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2pfh-q76x-gwvm

Aliases

Published

2021-09-23T23:16:38Z

Modified

2024-09-06T17:50:11.189266Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Improper Input Validation and Command Injection in Ansible

Details

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

References

Affected packages

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.9.23rc1

Affected versions

1.*

1.0

1.1

1.2

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.7

1.7.1

1.7.2

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.9.0

1.9.0.1

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

2.*

2.0.0

2.0.0.0

2.0.0.1

2.0.0.2

2.0.1.0

2.0.2.0

2.1.0.0

2.1.1.0

2.1.2.0

2.1.3.0

2.1.4.0

2.1.5.0

2.1.6.0

2.2.0.0

2.2.1.0

2.2.2.0

2.2.3.0

2.3.0.0

2.3.1.0

2.3.2.0

2.3.3.0

2.4.0.0

2.4.1.0

2.4.2.0

2.4.3.0

2.4.4.0

2.4.5.0

2.4.6.0

2.5.0a1

2.5.0b1

2.5.0b2

2.5.0rc1

2.5.0rc2

2.5.0rc3

2.5.0

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

2.5.8

2.5.9

2.5.10

2.5.11

2.5.12

2.5.13

2.5.14

2.5.15

2.6.0a1

2.6.0a2

2.6.0rc1

2.6.0rc2

2.6.0rc3

2.6.0rc4

2.6.0rc5

2.6.0

2.6.1

2.6.2

2.6.3

2.6.4

2.6.5

2.6.6

2.6.7

2.6.8

2.6.9

2.6.10

2.6.11

2.6.12

2.6.13

2.6.14

2.6.15

2.6.16

2.6.17

2.6.18

2.6.19

2.6.20

2.7.0.dev0

2.7.0a1

2.7.0b1

2.7.0rc1

2.7.0rc2

2.7.0rc3

2.7.0rc4

2.7.0

2.7.1

2.7.2

2.7.3

2.7.4

2.7.5

2.7.6

2.7.7

2.7.8

2.7.9

2.7.10

2.7.11

2.7.12

2.7.13

2.7.14

2.7.15

2.7.16

2.7.17

2.7.18

2.8.0a1

2.8.0b1

2.8.0rc1

2.8.0rc2

2.8.0rc3

2.8.0

2.8.1

2.8.2

2.8.3

2.8.4

2.8.5

2.8.6

2.8.7

2.8.8

2.8.9

2.8.10

2.8.11

2.8.12

2.8.13

2.8.14

2.8.15

2.8.16rc1

2.8.16

2.8.17rc1

2.8.17

2.8.18rc1

2.8.18

2.8.19rc1

2.8.19

2.8.20rc1

2.8.20

2.9.0b1

2.9.0rc1

2.9.0rc2

2.9.0rc3

2.9.0rc4

2.9.0rc5

2.9.0

2.9.1

2.9.2

2.9.3

2.9.4

2.9.5

2.9.6

2.9.7

2.9.8

2.9.9

2.9.10

2.9.11

2.9.12

2.9.13

2.9.14rc1

2.9.14

2.9.15rc1

2.9.15

2.9.16rc1

2.9.16

2.9.17rc1

2.9.17

2.9.18rc1

2.9.18

2.9.19rc1

2.9.19

2.9.20rc1

2.9.20

2.9.21rc1

2.9.21

2.9.22rc1

2.9.22

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.10.0a1

Fixed

2.10.11rc1

Affected versions

2.*

2.10.0a1

2.10.0a2

2.10.0a3

2.10.0a4

2.10.0a5

2.10.0a6

2.10.0a7

2.10.0a8

2.10.0a9

2.10.0b1

2.10.0b2

2.10.0rc1

2.10.0

2.10.1

2.10.2

2.10.3

2.10.4

2.10.5

2.10.6

2.10.7

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

2.11.0a1

Fixed

2.11.2rc1