CVE-2016-8628
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2016-8628.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2016-8628
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | bookworm | fixed | 2.2.0.0-1 |
| debian | bullseye | fixed | 2.2.0.0-1 |
| debian | forky | fixed | 2.2.0.0-1 |
| debian | sid | fixed | 2.2.0.0-1 |
| debian | trixie | fixed | 2.2.0.0-1 |
| sles | affected | |
Package impact
| Ecosystem | Package | Vulnerable | Fixed |
|---|---|---|---|
| PyPI | ansible | <2.2.0.0 | 2.2.0.0 |
References
- https://security-tracker.debian.org/tracker/CVE-2016-8628
- https://www.suse.com/security/cve/CVE-2016-8628.html
- https://nvd.nist.gov/vuln/detail/CVE-2016-8628
- https://github.com/ansible/ansible/issues/41903
- https://github.com/ansible/ansible/commit/35938b907dfcd1106ca40b794f0db446bdb8cf09
- https://access.redhat.com/errata/RHSA-2016:2778
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628
- https://github.com/advisories/GHSA-jg4f-jqm5-4mgq
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-38.yaml
- https://web.archive.org/web/20200227214455/http://www.securityfocus.com/bid/94109
- http://www.securityfocus.com/bid/94109
Verify integrity in audit chain (admin only). AS-IS.