Bug 1413581

Summary: CVE-2016-9587 Command execution on Ansible controller from host
Product: [Fedora] Fedora EPEL Reporter: Ruben Püttmann <ruben>
Component: ansibleAssignee: Kevin Fenzi <kevin>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: epel7CC: a.badger, athmanem, kevin, kupo, mark, maxim, toromoti
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-16 13:30:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ruben Püttmann 2017-01-16 12:52:09 UTC 
Summary: Command execution on Ansible controller from host
  Affected software: Ansible
	        CVE: CVE-2016-9587
      Reference URL: https://www.computest.nl/advisories/
                     CT-2017-0109_Ansible.txt
  Affected versions: < 2.1.4, < 2.2.1

             Credit: Undisclosed at Computest (research)
Date of publication: January 9, 2017

During a summary code review of Ansible, Computest found and exploited several
issues that allow a compromised host to execute commands on the Ansible
controller and thus gain access to the other hosts controlled by that
controller. 

Fixed versions are available from upstream
Comment 1 Andrej Nemec 2017-01-16 13:30:00 UTC 

*** This bug has been marked as a duplicate of bug 1412357 ***