CVE-2014-4967Injection in Redhat Ansible

CWE-74Injection9 documents6 sources
Severity
9.8CRITICALNVD
EPSS
4.7%
top 10.56%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Ansible
Timeline
PublishedFeb 18
Latest updateMay 17

Description

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages3 packages

NVDredhat/ansible< 1.6.7
PyPIredhat/ansible< 1.6.7
Debianredhat/ansible< 1.6.8+dfsg-1+3

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
Ansible Arbitrary Code Execution2022-05-17
GHSA
Ansible Arbitrary Code Execution2022-05-17
OSV
CVE-2014-4967: Multiple argument injection vulnerabilities in Ansible before 12020-02-18
CVEList
CVE-2014-4967: Multiple argument injection vulnerabilities in Ansible before 12020-02-18

📋Vendor Advisories

1
Debian
CVE-2014-4967: ansible - Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote...2014

💬Community

3
Bugzilla
CVE-2014-4967 CVE-2014-4966 ansible: multiple flaws [fedora-all]2014-07-22
Bugzilla
CVE-2014-4967 CVE-2014-4966 ansible: multiple flaws [epel-all]2014-07-22
Bugzilla
CVE-2014-4966 CVE-2014-4967 ansible: multiple flaws2014-07-22
CVE-2014-4967 — Injection in Redhat Ansible | cvebase