CVE-2014-3498
high
CVSS v3
8.8
CVSS v2
6.5
VIR risk
8.8
Description
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.
Predictions
Exploit likelihood
92%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: secalert@redhat.com — https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-3498
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 1.7.0+dfsg-1 |
| debian | bullseye | fixed | 1.7.0+dfsg-1 |
| debian | forky | fixed | 1.7.0+dfsg-1 |
| debian | sid | fixed | 1.7.0+dfsg-1 |
| debian | trixie | fixed | 1.7.0+dfsg-1 |
Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| redhat | ansible | {"endIncluding":"1.6.5"} | |
References
- https://security-tracker.debian.org/tracker/CVE-2014-3498
- https://nvd.nist.gov/vuln/detail/CVE-2014-3498
- https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5
- https://bugzilla.redhat.com/show_bug.cgi?id=1335551
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2017-2.yaml
CWEs
CWE-20
Verify integrity in audit chain (admin only). AS-IS.