CVE-2016-9587: Input Validation
First published: Tue Dec 13 2016(Updated: )
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <2.1.4 | 2.1.4 |
| redhat/ansible | <2.2.1 | 2.2.1 |
| pip/ansible | =2.2.0.0 | 2.2.1.0 |
| pip/ansible | <=2.1.3.0 | 2.1.4.0 |
| Red Hat Ansible | <2.1.4 | |
| Ansible | <2.2.1 | |
| Red Hat OpenStack for IBM Power | =11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://rhn.redhat.com/errata/RHSA-2017-0195.html
- http://rhn.redhat.com/errata/RHSA-2017-0260.html
- http://www.securityfocus.com/bid/95352
- https://access.redhat.com/errata/RHSA-2017:0448
- https://access.redhat.com/errata/RHSA-2017:0515
- https://access.redhat.com/errata/RHSA-2017:1685
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587
- https://security.gentoo.org/glsa/201701-77
- https://www.exploit-db.com/exploits/41013/
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1234010
- https://bugzilla.redhat.com/show_bug.cgi/attachment.cgi?id=1234010&action=edit
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1412356
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1412357
- https://rhn.redhat.com/errata/RHSA-2017-0195.html
- https://rhn.redhat.com/errata/RHSA-2017-0260.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1404378
- https://nvd.nist.gov/vuln/detail/CVE-2016-9587
- https://github.com/advisories/GHSA-m956-frf4-m2wr (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-39.yaml
- https://web.archive.org/web/20170115210655/http://www.securityfocus.com/bid/95352
- https://www.exploit-db.com/exploits/41013
Frequently Asked Questions
What is the severity of CVE-2016-9587?
CVE-2016-9587 is considered to have a moderate severity level due to improper input validation in Ansible.
How do I fix CVE-2016-9587?
To fix CVE-2016-9587, update Ansible to versions 2.1.4 or 2.2.1 or later.
Who is affected by CVE-2016-9587?
CVE-2016-9587 affects users of Ansible versions earlier than 2.1.4 and 2.2.1.
What type of vulnerability is CVE-2016-9587?
CVE-2016-9587 is a vulnerability related to improper input validation.
Can CVE-2016-9587 be exploited remotely?
Yes, CVE-2016-9587 can be exploited by an attacker with control over a client system sending data to the Ansible server.
- agent/type
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2016-9587
- agent/software-canonical-lookup
- agent/weakness
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-m956-frf4-m2wr
- agent/references
- agent/last-modified-date
- agent/author
- agent/severity
- agent/description
- agent/event
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- package-manager/redhat
- package-manager/pip
- vendor/redhat
- canonical/red hat ansible
- vendor/ansible
- canonical/ansible
- canonical/red hat openstack for ibm power
- version/red hat openstack for ibm power/11