CVE-2016-8628
ansible: Command injection by compromised server via fact variables
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Ansible en versiones anteriores a la 2.2.0 no sanea correctamente las variables de hecho enviadas desde el controlador de Ansible. Un atacante que pueda crear variables especiales en el controlador podrĂa ejecutar comandos arbitrarios en los clientes de Ansible como el usuario como el que se ejecuta Ansible.
Ansible fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2016-10-12 CVE Reserved
- 2016-11-16 CVE Published
- 2024-05-15 EPSS Updated
- 2024-08-06 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CAPEC
References (5)
| URL | Tag | Source |
|---|---|---|
| http://www.securityfocus.com/bid/94109 | Third Party Advisory | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628 | Issue Tracking |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2016:2778 | 2023-11-07 | |
| https://access.redhat.com/security/cve/CVE-2016-8628 | 2016-11-15 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1388113 | 2016-11-15 |