CVE-2016-9587 — HIGH (8.1) — White Hats Nepal

Q: How severe is CVE-2016-9587?

CVE-2016-9587 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2016-9587?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible, Ansible Ansible, Redhat Openstack.

Vulnerability Description

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Redhat	Ansible	< 2.1.4
Ansible	Ansible	< 2.2.1
Redhat	Openstack	11

Related Weaknesses (CWE)

CWE-20

References

http://rhn.redhat.com/errata/RHSA-2017-0195.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0260.htmlThird Party Advisory
http://www.securityfocus.com/bid/95352Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:0448Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0515Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1685Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587Issue TrackingThird Party Advisory
https://security.gentoo.org/glsa/201701-77Third Party Advisory
https://www.exploit-db.com/exploits/41013/ExploitThird Party AdvisoryVDB Entry
http://rhn.redhat.com/errata/RHSA-2017-0195.htmlThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0260.htmlThird Party Advisory
http://www.securityfocus.com/bid/95352Third Party AdvisoryVDB Entry
https://access.redhat.com/errata/RHSA-2017:0448Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0515Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1685Third Party Advisory

FAQ

What is CVE-2016-9587?

CVE-2016-9587 is a vulnerability with a CVSS score of 8.1 (HIGH). Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed b...

How severe is CVE-2016-9587?

CVE-2016-9587 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2016-9587?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible, Ansible Ansible, Redhat Openstack.