ansible is vulnerable to arbitrary code execution. The attacks are possible because it does not strip lookup calls out of inventory variables and clean unsafe data returned from lookup plugins. The code execution can be performed by interpolating file names as lookup plugin commands in combination with the pipe feature.