GHSA-m956-frf4-m2wr

Source

https://github.com/advisories/GHSA-m956-frf4-m2wr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-m956-frf4-m2wr/GHSA-m956-frf4-m2wr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-m956-frf4-m2wr

Aliases

Published

2018-10-10T17:22:53Z

Modified

2024-09-04T18:52:44.063026Z

Severity

8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
9.2 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator

Summary

Ansible is vulnerable to an improper input validation in Ansible's handling of data sent from client systems

Details

Ansible before versions 2.1.4.0, 2.2.1.0 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

References

Affected packages

PyPI / ansible

Package

Name: ansible; View open source insights on deps.dev
Purl: pkg:pypi/ansible

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.1.4.0

Affected versions

1.*

1.0

1.1

1.2

1.2.1

1.2.2

1.2.3

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.4

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.5

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.7

1.7.1

1.7.2

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.9.0

1.9.0.1

1.9.1

1.9.2

1.9.3

1.9.4

1.9.5

1.9.6

2.*

2.0.0

2.0.0.0

2.0.0.1

2.0.0.2

2.0.1.0

2.0.2.0

2.1.0.0

2.1.1.0

2.1.2.0

2.1.3.0

Database specific

{
    "last_known_affected_version_range": "<= 2.1.3.0"
}