bolt is vulnerable to cross-site scripting (XSS). A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host’s shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.
access.redhat.com/errata/RHSA-2022:0108
access.redhat.com/security/cve/CVE-2021-4041
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=2028074
github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd
github.com/bolt/bolt/commit/b42cbfcf3e3108c46a80581216ba03ef449e419f