ansible is vulnerable to code injection. The ansible_facts
subkey can be used to overwrite itself after cleaning when inject is enabled, allowing an attacker to modify values such as ansible_hosts
, users or other key data which can potentially lead to code injection or privilege escalation.
bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684
github.com/advisories/GHSA-p62g-jhg6-v3rq
github.com/ansible/ansible/commit/a9d2ceafe429171c0e2ad007058b88bae57c74ce
github.com/ansible/ansible/pull/68431
lists.fedoraproject.org/archives/list/[email protected]/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW/
lists.fedoraproject.org/archives/list/[email protected]/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S/
lists.fedoraproject.org/archives/list/[email protected]/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB/
security.gentoo.org/glsa/202006-11
www.debian.org/security/2021/dsa-4950