In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
{ "nvd_published_at": "2018-07-02T13:29:00Z", "cwe_ids": [ "CWE-20", "CWE-426" ], "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2023-02-08T18:08:29Z" }