Description
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
CVSS breakdown
CVSS 3.0
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Red Hat / Ansible2.2.0 – 2.2.0