GHSA-2pfh-q76x-gwvm

Suggest an improvement
Source
https://github.com/advisories/GHSA-2pfh-q76x-gwvm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/09/GHSA-2pfh-q76x-gwvm/GHSA-2pfh-q76x-gwvm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-2pfh-q76x-gwvm
Aliases
Published
2021-09-23T23:16:38Z
Modified
2024-09-06T18:01:00.918391Z
Severity
  • 7.1 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
  • 8.6 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Improper Input Validation and Command Injection in Ansible
Details

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.

Database specific
{
    "nvd_published_at": "2021-09-22T12:15:00Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-77",
        "CWE-94"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2021-09-23T17:11:22Z"
}
References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.9.23rc1

Affected versions

1.*

1.0
1.1
1.2
1.2.1
1.2.2
1.2.3
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.4
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.5
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.7
1.7.1
1.7.2
1.8
1.8.1
1.8.2
1.8.3
1.8.4
1.9.0
1.9.0.1
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6

2.*

2.0.0
2.0.0.0
2.0.0.1
2.0.0.2
2.0.1.0
2.0.2.0
2.1.0.0
2.1.1.0
2.1.2.0
2.1.3.0
2.1.4.0
2.1.5.0
2.1.6.0
2.2.0.0
2.2.1.0
2.2.2.0
2.2.3.0
2.3.0.0
2.3.1.0
2.3.2.0
2.3.3.0
2.4.0.0
2.4.1.0
2.4.2.0
2.4.3.0
2.4.4.0
2.4.5.0
2.4.6.0
2.5.0a1
2.5.0b1
2.5.0b2
2.5.0rc1
2.5.0rc2
2.5.0rc3
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4
2.5.5
2.5.6
2.5.7
2.5.8
2.5.9
2.5.10
2.5.11
2.5.12
2.5.13
2.5.14
2.5.15
2.6.0a1
2.6.0a2
2.6.0rc1
2.6.0rc2
2.6.0rc3
2.6.0rc4
2.6.0rc5
2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.6.18
2.6.19
2.6.20
2.7.0.dev0
2.7.0a1
2.7.0b1
2.7.0rc1
2.7.0rc2
2.7.0rc3
2.7.0rc4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17
2.7.18
2.8.0a1
2.8.0b1
2.8.0rc1
2.8.0rc2
2.8.0rc3
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11
2.8.12
2.8.13
2.8.14
2.8.15
2.8.16rc1
2.8.16
2.8.17rc1
2.8.17
2.8.18rc1
2.8.18
2.8.19rc1
2.8.19
2.8.20rc1
2.8.20
2.9.0b1
2.9.0rc1
2.9.0rc2
2.9.0rc3
2.9.0rc4
2.9.0rc5
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6
2.9.7
2.9.8
2.9.9
2.9.10
2.9.11
2.9.12
2.9.13
2.9.14rc1
2.9.14
2.9.15rc1
2.9.15
2.9.16rc1
2.9.16
2.9.17rc1
2.9.17
2.9.18rc1
2.9.18
2.9.19rc1
2.9.19
2.9.20rc1
2.9.20
2.9.21rc1
2.9.21
2.9.22rc1
2.9.22

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.10.0a1
Fixed
2.10.11rc1

Affected versions

2.*

2.10.0a1
2.10.0a2
2.10.0a3
2.10.0a4
2.10.0a5
2.10.0a6
2.10.0a7
2.10.0a8
2.10.0a9
2.10.0b1
2.10.0b2
2.10.0rc1
2.10.0
2.10.1
2.10.2
2.10.3
2.10.4
2.10.5
2.10.6
2.10.7

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.11.0a1
Fixed
2.11.2rc1