CVE-2016-8628

NameCVE-2016-8628
DescriptionAnsible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severityhigh (attack range: remote)
Debian Bugs842985

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie1.7.2+dfsg-2fixed
jessie (security)1.7.2+dfsg-2+deb8u1fixed
stretch (security), stretch2.2.1.0-2+deb9u1fixed
buster2.7.7+dfsg-1fixed
bullseye, sid2.7.8+dfsg-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)2.2.0.0-1high842985
ansiblesourcejessie(not affected)

Notes

[jessie] - ansible <not-affected> (Vulnerable code not present)
Fixed upstream in v2.2.0.0-1
Needs an attacker to compromise a controlled server.
Search for package or bug name: Reporting problems