CVE-2016-8628
HIGHAnsible < 2.2.0 - Remote Code Execution via Fact Variable Injection
Title source: llmDescription
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
References (3)
Core 3
Core References
Third Party Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2016:2778
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/94109
Issue Tracking, Third Party Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628
Scores
CVSS v3
7.6
EPSS
0.0325
EPSS Percentile
86.8%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
Details
CWE
CWE-77
Status
published
Products (2)
pypi/ansible
0 - 2.2.0.0PyPI
redhat/ansible
< 2.2.0
Published
Jul 31, 2018
Tracked Since
Feb 18, 2026