CVE-2017-7481
CRITICAL IN THE WILDAnsible <2.3.1.0-2.4.0.0 - Code Injection
Title source: llmExploitation Summary
CVE-2017-7481 has been observed exploited in the wild (reported by InTheWild.io).
Description
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
References (11)
Core 11
Core References
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1599
Issue Tracking, Patch, Vendor Advisory x_refsource_confirm
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1334
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/98492
Patch, Third Party Advisory x_refsource_confirm
https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1244
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1499
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:2524
Vendor Advisory vendor-advisory
x_refsource_redhat
https://access.redhat.com/errata/RHSA-2017:1476
Third Party Advisory vendor-advisory
x_refsource_ubuntu
https://usn.ubuntu.com/4072-1/
Mailing List, Third Party Advisory mailing-list
x_refsource_mlist
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Scores
CVSS v3
9.8
EPSS
0.0462
EPSS Percentile
90.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Details
InTheWild.io
2021-07-23
CWE
CWE-20
Status
published
Products (15)
canonical/ubuntu_linux
16.04
canonical/ubuntu_linux
18.04
canonical/ubuntu_linux
19.04
debian/debian_linux
9.0
pypi/ansible
2.3.0.0 - 2.3.1.0PyPI
redhat/ansible_engine
< 2.3.1.0
redhat/gluster_storage
3.2
redhat/openshift_container_platform
3.3
redhat/openshift_container_platform
3.4
redhat/openshift_container_platform
3.5
... and 5 more
Published
Jul 19, 2018
Tracked Since
Feb 18, 2026