Vulnerability Description
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible | < 2.2.0 |
Related Weaknesses (CWE)
References
- http://www.securityfocus.com/bid/94109Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2016:2778Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628Issue TrackingThird Party Advisory
- http://www.securityfocus.com/bid/94109Third Party AdvisoryVDB Entry
- https://access.redhat.com/errata/RHSA-2016:2778Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628Issue TrackingThird Party Advisory
FAQ
What is CVE-2016-8628?
CVE-2016-8628 is a vulnerability with a CVSS score of 7.6 (HIGH). Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitr...
How severe is CVE-2016-8628?
CVE-2016-8628 has been rated HIGH with a CVSS base score of 7.6/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2016-8628?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible.