9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
ansible is vulnerable to unsafe lookups. The library does not wrap the jinja2 environment properly, resulting in the lookup results being rendered as unicode strings. This can result in arbitrary code being executed in the templates.
www.securityfocus.com/bid/98492
access.redhat.com/errata/RHSA-2017:1244
access.redhat.com/errata/RHSA-2017:1334
access.redhat.com/errata/RHSA-2017:1476
access.redhat.com/errata/RHSA-2017:1499
access.redhat.com/errata/RHSA-2017:1599
access.redhat.com/errata/RHSA-2017:2524
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1477925
bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481
github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2
lists.debian.org/debian-lts-announce/2021/01/msg00023.html
usn.ubuntu.com/4072-1/
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P