CVE-2016-8628: Command Injection
First published: Mon Oct 24 2016(Updated: )
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Ansible | <2.2.0 | 2.2.0 |
| pip/ansible | >=0<2.2.0.0 | 2.2.0.0 |
| Red Hat Ansible | <2.2.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://nvd.nist.gov/vuln/detail/CVE-2016-8628
- https://github.com/advisories/GHSA-jg4f-jqm5-4mgq (Advisory)
- https://github.com/ansible/ansible/commit/35938b907dfcd1106ca40b794f0db446bdb8cf09
- https://access.redhat.com/errata/RHSA-2016:2778
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628
- http://www.securityfocus.com/bid/94109
- https://github.com/ansible/ansible/issues/41903
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390647
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390649
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390646
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1390648
- https://github.com/ansible/ansible/releases/tag/v2.2.0.0-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1388113
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-38.yaml
- https://web.archive.org/web/20200227214455/http://www.securityfocus.com/bid/94109
Frequently Asked Questions
What is the severity of CVE-2016-8628?
CVE-2016-8628 is considered a critical vulnerability due to its ability to allow arbitrary command execution on Ansible clients.
How do I fix CVE-2016-8628?
To fix CVE-2016-8628, upgrade Ansible to version 2.2.0 or later.
What versions of Ansible are affected by CVE-2016-8628?
CVE-2016-8628 affects all versions of Ansible prior to 2.2.0.
Can CVE-2016-8628 be exploited remotely?
Yes, CVE-2016-8628 can be exploited remotely by attackers with access to the Ansible controller.
What are the implications of CVE-2016-8628 for system security?
The implications of CVE-2016-8628 include potential unauthorized access and control over Ansible-managed systems.
- agent/type
- agent/first-publish-date
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-8628
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-jg4f-jqm5-4mgq
- agent/references
- agent/last-modified-date
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/author
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/pip
- vendor/redhat
- canonical/red hat ansible