CVE-2016-8628
Ansible fails to properly sanitize fact variables sent from the Ansible controller
9.1
CRITICAL
CVSS 3.1
EPSS 0.46%
Description
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
How to fix CVE-2016-8628
To remediate CVE-2016-8628, upgrade the affected package to a fixed version below.
- —upgrade to 2.2.0.0-1 or later
- —upgrade to 2.2.0.0 or later
- —upgrade to 2.2.0.0 or later
Is CVE-2016-8628 being exploited?
Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.
Affected packages (3)
- from 0, < 2.2.0.0-1
- from 0, < 2.2.0.0
- from 0, < 2.2.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H |
| osv | CVSS 3.1 | CRITICAL9.1 | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |