CVE-2017-7466: Input Validation
First published: Wed Apr 05 2017(Updated: )
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <2.3 | 2.3 |
| pip/ansible | <2.2.3.0 | 2.2.3.0 |
| Red Hat Ansible | <2.3 | |
| Red Hat OpenStack for IBM Power | =10 | |
| Red Hat OpenStack for IBM Power | =11 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.securityfocus.com/bid/97595
- https://access.redhat.com/errata/RHSA-2017:1244
- https://access.redhat.com/errata/RHSA-2017:1334
- https://access.redhat.com/errata/RHSA-2017:1476
- https://access.redhat.com/errata/RHSA-2017:1499
- https://access.redhat.com/errata/RHSA-2017:1599
- https://access.redhat.com/errata/RHSA-2017:1685
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466
- https://access.redhat.com/security/cve/CVE-2016-9587
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441356
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441358
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441355
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1441357
- https://bugzilla.redhat.com/show_bug.cgi?id=1439212
- https://nvd.nist.gov/vuln/detail/CVE-2017-7466
- https://github.com/ansible/ansible/issues/24186
- https://web.archive.org/web/20170701161323/http://www.securityfocus.com/bid/97595
- https://github.com/advisories/GHSA-3m8p-xpm6-8ww3 (Advisory)
- https://github.com/ansible/ansible/commit/0d418789a298561fded9bce977d34babc9097079
- https://github.com/ansible/ansible/commit/7ff9fa52cfcef2065f0db80d85dd94b9b754839c
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-40.yaml
Frequently Asked Questions
What is the severity of CVE-2017-7466?
CVE-2017-7466 has a critical severity rating due to the potential for arbitrary code execution.
How do I fix CVE-2017-7466?
To fix CVE-2017-7466, upgrade to Ansible version 2.3 or later.
What systems are affected by CVE-2017-7466?
CVE-2017-7466 affects Ansible versions before 2.3 and certain versions of Red Hat OpenStack.
Can an attacker exploit CVE-2017-7466 remotely?
An attacker must have control over a client system to exploit CVE-2017-7466, making remote exploitation less likely.
What kind of attack can be performed using CVE-2017-7466?
An attacker exploiting CVE-2017-7466 can execute arbitrary code on the Ansible server.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2017-7466
- agent/software-canonical-lookup
- agent/severity
- agent/author
- agent/event
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-3m8p-xpm6-8ww3
- agent/last-modified-date
- agent/references
- collector/github-advisory
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-index
- package-manager/redhat
- package-manager/pip
- vendor/redhat
- canonical/red hat ansible
- canonical/red hat openstack for ibm power
- version/red hat openstack for ibm power/10
- version/red hat openstack for ibm power/11