CVE-2016-9587

HIGH8.1EPSS 3.0%

Ansible is vulnerable to an improper input validation in Ansible's handling of data sent from client systems

發布日:2018/10/10修改日:2026/4/28

描述

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

受影響套件(4)

Alpine/ansiblefrom 0, < 2.1.4.0-r0
Debian/ansiblefrom 0, < 2.2.0.0-3
PyPI/ansiblefrom 0, < 2.1.4.0
PyPI/ansiblefrom 0, < 2.1.4.0, >= 2.2.0.0, < 2.2.1.0

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
osv	CVSS 3.1	HIGH8.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

參考連結(17)

ADVISORYhttps://github.com/advisories/GHSA-m956-frf4-m2wr
ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2016-9587
ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2016-9587
ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2016-9587
PATCHhttps://github.com/ansible/ansible
WEBhttp://rhn.redhat.com/errata/RHSA-2017-0195.html
WEBhttp://rhn.redhat.com/errata/RHSA-2017-0260.html
WEBhttps://access.redhat.com/errata/RHSA-2017:0448
WEBhttps://access.redhat.com/errata/RHSA-2017:0515
WEBhttps://access.redhat.com/errata/RHSA-2017:1685
WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587
WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-39.yaml
WEBhttps://security.gentoo.org/glsa/201701-77
WEBhttps://web.archive.org/web/20170115210655/http://www.securityfocus.com/bid/95352
WEBhttps://www.exploit-db.com/exploits/41013
WEBhttps://www.exploit-db.com/exploits/41013/
WEBhttp://www.securityfocus.com/bid/95352