ansible is vulnerable to command injection. It is possible due to a lack of the returned facts validation, allowing a remote host running ansible or via escalated permissions to alter connection or interpreter settings by injecting malicious command through it.
www.securityfocus.com/bid/94109
access.redhat.com/errata/RHSA-2016:2778
access.redhat.com/security/updates/classification/#moderate
bugzilla.redhat.com/show_bug.cgi?id=1378929
bugzilla.redhat.com/show_bug.cgi?id=1382634
bugzilla.redhat.com/show_bug.cgi?id=1382936
bugzilla.redhat.com/show_bug.cgi?id=1383961
bugzilla.redhat.com/show_bug.cgi?id=1386333
bugzilla.redhat.com/show_bug.cgi?id=1389275
bugzilla.redhat.com/show_bug.cgi?id=1389928
bugzilla.redhat.com/show_bug.cgi?id=1391548
bugzilla.redhat.com/show_bug.cgi?id=1391608
bugzilla.redhat.com/show_bug.cgi?id=1391865
bugzilla.redhat.com/show_bug.cgi?id=1392169
bugzilla.redhat.com/show_bug.cgi?id=1392276
bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628