CVE-2014-4657

CWE-20Improper Input ValidationCWE-94Code InjectionCWE-7413 documents7 sources
Severity
9.8CRITICAL
EPSS
2.2%
top 15.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Ansible
Timeline
PublishedFeb 20
Latest updateMay 24

Description

The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages4 packages

PyPIansible< 1.5.4
NVDredhat/ansible< 1.5.4
Debianansible< 1.5.5+dfsg-1+3
CVEListV5ansiblebefore 1.6.4

🔴Vulnerability Details

5
GHSA
Ansible Code Injection Vulnerability2022-05-24
GHSA
Ansible Remote Code Execution2022-05-17
OSV
Ansible Remote Code Execution2022-05-17
CVEList
CVE-2014-4657: The safe_eval function in Ansible before 12020-02-20
OSV
CVE-2014-4657: The safe_eval function in Ansible before 12020-02-20

📋Vendor Advisories

3
Red Hat
ansible: safe_eval function does not properly restrict the code subset leads to arbitrary code execution via crafted instructions2020-02-19
Red Hat
ansible: improper restriction of code subset allows remote arbitrary code execution via crafted instructions2014-04-01
Debian
CVE-2014-4657: ansible - The safe_eval function in Ansible before 1.5.4 does not properly restrict the co...2014

💬Community

4
Bugzilla
CVE-2014-4657 ansible: improper restriction of code subset allows remote arbitrary code execution via crafted instructions [fedora-all]2020-05-04
Bugzilla
CVE-2014-4657 ansible: improper restriction of code subset allows remote arbitrary code execution via crafted instructions [epel-all]2020-05-04
Bugzilla
CVE-2014-4657 ansible: improper restriction of code subset allows remote arbitrary code execution via crafted instructions2020-05-04
Bugzilla
CVE-2014-4678 ansible: safe_eval function does not properly restrict the code subset leads to arbitrary code execution via crafted instructions2020-04-28