Bug 1388113 (CVE-2016-8628) - CVE-2016-8628 ansible: Command injection by compromised server via fact variables
Summary: CVE-2016-8628 ansible: Command injection by compromised server via fact varia...
Alias: CVE-2016-8628
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1390646 1390647 1390648 1390649 1390681 1396333
Blocks: 1388114
TreeView+ depends on / blocked
Reported: 2016-10-24 13:37 UTC by Adam Mariš
Modified: 2021-02-17 03:07 UTC (History)
46 users (show)

Fixed In Version: Ansible 2.2.0
Doc Type: If docs needed, set a value
Doc Text:
Ansible fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Clone Of:
Last Closed: 2016-12-15 05:30:42 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2778 0 normal SHIPPED_LIVE Moderate: atomic-openshift-utils security and bug fix update 2016-11-16 00:08:29 UTC

Description Adam Mariš 2016-10-24 13:37:25 UTC
It was found that it's possible to inject code and gain remote code execution via setting ansible_ssh_executable variable by attacker that takes over of controlled server.

Comment 1 Adam Mariš 2016-10-24 13:37:55 UTC

Name: Michael Scherer (Red Hat)

Comment 2 Kurt Seifried 2016-11-01 15:23:05 UTC
Created ansible1.9 tracking bugs for this issue:

Affects: fedora-all [bug 1390647]
Affects: epel-all [bug 1390649]

Comment 3 Kurt Seifried 2016-11-01 15:23:26 UTC
Created ansible tracking bugs for this issue:

Affects: fedora-all [bug 1390646]
Affects: epel-all [bug 1390648]

Comment 4 Kurt Seifried 2016-11-01 15:28:46 UTC
This issue is addressed in Ansible 2.2.0 available at:


Comment 5 Kurt Seifried 2016-11-01 15:34:58 UTC
Downgrading this issue from High to Medium as it requires a compromised server in order to exploit a client.

Comment 8 Kurt Seifried 2016-11-14 18:24:00 UTC
Updated affects, 1.9 is not affected.

Comment 9 errata-xmlrpc 2016-11-15 19:09:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 3.2
  Red Hat OpenShift Container Platform 3.3

Via RHSA-2016:2778 https://access.redhat.com/errata/RHSA-2016:2778

Note You need to log in before you can comment on or make changes to this bug.