CVE-2014-3498: Input Validation
First published: Thu May 12 2016(Updated: )
It was reported that user module in ansible before 1.6.6 is vulnerable to command execution. Ansible can get the result of remote command in variable, which may come from untrusted source of input. The content of variable isn't properly filtered and when attempting to use the variable, it will trigger a function that passes it through jinja 2 template engine that can result into arbitrary command execution. Under certain circumstances, unprivileged user on system that is being managed via ansible can execute code on the managing host under UID of running ansible process. Upstream patch: <a href="https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5">https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <1.6.6 | 1.6.6 |
| pip/ansible | <1.6.6 | 1.6.6 |
| Red Hat Ansible | <=1.6.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2014-3498
- https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5
- https://bugzilla.redhat.com/show_bug.cgi?id=1335551
- https://github.com/advisories/GHSA-4cvm-5776-jx9f (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2017-2.yaml
Frequently Asked Questions
What is the severity of CVE-2014-3498?
CVE-2014-3498 is classified as a high severity vulnerability due to the potential for command execution.
How do I fix CVE-2014-3498?
To fix CVE-2014-3498, you should upgrade ansible to version 1.6.6 or later.
What versions of Ansible are affected by CVE-2014-3498?
Versions of Ansible prior to 1.6.6, specifically up to and including 1.6.5, are affected by CVE-2014-3498.
What type of vulnerability is CVE-2014-3498?
CVE-2014-3498 is a command execution vulnerability that arises from improper filtering of user input.
Can CVE-2014-3498 be exploited remotely?
Yes, CVE-2014-3498 can be exploited remotely since it involves executing commands with untrusted input.
- agent/type
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2014-3498
- agent/software-canonical-lookup
- agent/remedy
- agent/weakness
- agent/severity
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-4cvm-5776-jx9f
- agent/last-modified-date
- agent/references
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- agent/tags
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- agent/softwarecombine
- package-manager/redhat
- package-manager/pip
- vendor/redhat
- canonical/red hat ansible
- version/red hat ansible/1.6.5