Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
{ "availability": "Available with Ubuntu Pro (Infra-only): https://ubuntu.com/pro", "ubuntu_priority": "medium", "binaries": [ { "binary_version": "1.5.4+dfsg-1ubuntu0.1~esm2", "binary_name": "ansible" }, { "binary_version": "1.5.4+dfsg-1ubuntu0.1~esm2", "binary_name": "ansible-doc" }, { "binary_version": "1.5.4+dfsg-1ubuntu0.1~esm2", "binary_name": "ansible-fireball" }, { "binary_version": "1.5.4+dfsg-1ubuntu0.1~esm2", "binary_name": "ansible-node-fireball" } ] }