Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2016-8628

Good to know:

icon

Date: July 31, 2018

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

Language: Python

Severity Score

Related Resources (12)

https://github.com/ansible/ansible/issues/41903
https://github.com/ansible/ansible
https://github.com/ansible/ansible/commit/35938b907dfcd1106ca40b794f0db446bdb8cf09
https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-38.yaml
http://www.securityfocus.com/bid/94109
https://security-tracker.debian.org/tracker/CVE-2016-8628
https://github.com/advisories/GHSA-jg4f-jqm5-4mgq
https://web.archive.org/web/20200227214455/http://www.securityfocus.com/bid/94109
https://nvd.nist.gov/vuln/detail/CVE-2016-8628
https://access.redhat.com/errata/RHSA-2016:2778
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628
https://www.mend.io/vulnerability-database/CVE-2016-8628

Severity Score

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Top Fix

icon

Upgrade Version

Upgrade to version ansible - 2.2.0.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): HIGH
Privileges Required (PR): HIGH
User Interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality (C): HIGH
Integrity (I): HIGH
Availability (A): HIGH

CVSS v2

Base Score:
Access Vector (AV): NETWORK
Access Complexity (AC): LOW
Authentication (AU): SINGLE
Confidentiality (C): COMPLETE
Integrity (I): COMPLETE
Availability (A): COMPLETE
Additional information:

Do you need more information?

Contact Us