Ansible prior to 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat ansible |
||
ansible ansible |
||
redhat openstack 11 |
Just the Facts, sysadmins
Ansible sysadmins, make with the patch-fingers because the project's just gone public with a high-severity bug. CVE-2016-9587 is a peach: “a compromised remote system being managed via Ansible can lead to commands being run on the Ansible controller (as the user running the ansible or ansible-playbook command)”, Ansible lead at Red Hat James Cammarata writes. Dutch outfit Computest found the bug. It writes that if an attacker can get access to one compromised machine, they can use that as a ...