Remote Code Execution Vulnerability in Ansible by Red Hat
CVE-2017-7481

5.3MEDIUM

Key Information:

Vendor

[unknown]

Status
Ansible
Vendor
CVE Published:
19 July 2018

What is CVE-2017-7481?

Ansible versions before 2.3.1.0 and 2.4.0.0 are susceptible to a vulnerability due to improper marking of lookup-plugin results. An attacker controlling the results of lookup() calls could inject Unicode strings into the jinja2 templating system, leading to unauthorized code execution. The absence of safeguards allows evaluated templates to run dangerous code, posing a significant security risk to affected systems.

Affected Version(s)

ansible ansible 2.3.1.0

ansible ansible 2.4.0.0

References

https://access.redhat.com/errata/RHSA-2017:1599
vendor-advisoryx_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481
x_refsource_CONFIRM
https://access.redhat.com/errata/RHSA-2017:1334
vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.