CVE-2016-8628 — Command Injection in Redhat Ansible
Severity
9.1CRITICALNVD
CNA7.6
EPSS
0.4%
top 37.87%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJul 31
Latest updateOct 10
Description
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
CVSS vector
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:HExploitability: 2.3 | Impact: 6.0
Affected Packages4 packages
🔴Vulnerability Details
4📋Vendor Advisories
2💬Community
5Bugzilla▶
CVE-2016-8628 ansible: Command injection by compromised server via ansible_ssh_executable or ssh_args [fedora-all]↗2016-11-01
Bugzilla▶
CVE-2016-8628 ansible1.9: ansible: Command injection by compromised server via ansible_ssh_executable or ssh_args [fedora-all]↗2016-11-01
Bugzilla▶
CVE-2016-8628 ansible: Command injection by compromised server via ansible_ssh_executable or ssh_args [epel-all]↗2016-11-01
Bugzilla▶
CVE-2016-8628 ansible1.9: ansible: Command injection by compromised server via ansible_ssh_executable or ssh_args [epel-all]↗2016-11-01
Bugzilla
▶