Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "ansible-node-fireball": "1.5.4+dfsg-1ubuntu0.1~esm2", "ansible-doc": "1.5.4+dfsg-1ubuntu0.1~esm2", "ansible-fireball": "1.5.4+dfsg-1ubuntu0.1~esm2", "ansible": "1.5.4+dfsg-1ubuntu0.1~esm2" } ] }