CVE-2016-9587

HIGH

Redhat Ansible < 2.1.4 - Improper Input Validation

Title source: rule

Description

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Exploits (1)

exploitdb WRITEUP

by Computest · textremotelinux

https://www.exploit-db.com/exploits/41013

View Code ZIP pw:eip

References (9)

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2017-0195.html

[Third Party Advisory] http://rhn.redhat.com/errata/RHSA-2017-0260.html

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/95352

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:0448

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:0515

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:1685

[Issue Tracking, Third Party Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587

[Third Party Advisory] https://security.gentoo.org/glsa/201701-77

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/41013/

Scores

CVSS v3 8.1

EPSS 0.0305

EPSS Percentile 86.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-20

Status published

Products (4)

ansible/ansible < 2.2.1

pypi/ansible 0 - 2.1.4.0PyPI

redhat/ansible < 2.1.4

redhat/openstack 11

Published Apr 24, 2018

Tracked Since Feb 18, 2026