A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat ansible tower 3.4.5 |
||
redhat ansible tower 3.5.5 |
||
redhat ansible tower 3.6.3 |
||
redhat ansible engine 2.8.8 |
||
redhat ansible engine 2.9.5 |
||
redhat ansible engine |
||
redhat ansible tower |