ALT-PU-2014-1957-2

CVE-2014-3498

HIGH8.8

The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.

Опубликовано: 2017-06-08Изменено: 2025-04-20

CVSS 2.0СРЕДНЯЯ 6.5

CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:P/A:P

CVSS 3.xВЫСОКАЯ 8.8

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2014-4678

CRITICAL9.8

The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.

Опубликовано: 2020-02-20Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2014-4966

CRITICAL9.8

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

Опубликовано: 2020-02-18Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

CVE-2014-4967

CRITICAL9.8

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command.

Опубликовано: 2020-02-18Изменено: 2024-11-21

CVSS 2.0ВЫСОКАЯ 7.5

CVSS:2.0/AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS 3.xКРИТИЧЕСКАЯ 9.8

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Ссылки

GHSA-4cvm-5776-jx9f

HIGH8.7

Ansible Arbitrary Code Execution

Опубликовано: 2022-05-14Изменено: 2024-09-04

CVSS 3.xВЫСОКАЯ 8.7

CVSS:3.x/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0ВЫСОКАЯ 8.7

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-64cw-m57j-65xj

CRITICAL9.3

Ansible Arbitrary Code Execution

Опубликовано: 2022-05-17Изменено: 2024-09-11

CVSS 3.xКРИТИЧЕСКАЯ 9.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0КРИТИЧЕСКАЯ 9.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-66c7-5pwv-mm3j

CRITICAL9.3

Ansible Code Injection Vulnerability

Опубликовано: 2022-05-25Изменено: 2024-09-11

CVSS 3.xКРИТИЧЕСКАЯ 9.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0КРИТИЧЕСКАЯ 9.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Ссылки

GHSA-wqq5-c89p-3wc3

CRITICAL9.3

Ansible Arbitrary Code Execution

Опубликовано: 2022-05-17Изменено: 2024-09-11

CVSS 3.xКРИТИЧЕСКАЯ 9.3

CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS 4.0КРИТИЧЕСКАЯ 9.3

CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Ссылки

Обновление пакета ansible в ветке sisyphus

Закрытые проблемы (8)

The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.

The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

Ansible Arbitrary Code Execution

Ansible Arbitrary Code Execution

Ansible Code Injection Vulnerability

Ansible Arbitrary Code Execution