1413581 – CVE-2016-9587 Command execution on Ansible controller from host

Bug 1413581 - CVE-2016-9587 Command execution on Ansible controller from host

Summary: CVE-2016-9587 Command execution on Ansible controller from host

Keywords:
Status:	CLOSED DUPLICATE of bug 1412357
Alias:	None
Product:	Fedora EPEL
Classification:	Fedora
Component:	ansible
Sub Component:
Version:	epel7
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-01-16 12:52 UTC by Ruben Püttmann
Modified:	2017-01-16 13:30 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2017-01-16 13:30:00 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Ruben Püttmann 2017-01-16 12:52:09 UTC

Summary: Command execution on Ansible controller from host
  Affected software: Ansible
	        CVE: CVE-2016-9587
      Reference URL: https://www.computest.nl/advisories/
                     CT-2017-0109_Ansible.txt
  Affected versions: < 2.1.4, < 2.2.1

             Credit: Undisclosed at Computest (research)
Date of publication: January 9, 2017

During a summary code review of Ansible, Computest found and exploited several
issues that allow a compromised host to execute commands on the Ansible
controller and thus gain access to the other hosts controlled by that
controller. 

Fixed versions are available from upstream

Comment 1 Andrej Nemec 2017-01-16 13:30:00 UTC


*** This bug has been marked as a duplicate of bug 1412357 ***

Note You need to log in before you can comment on or make changes to this bug.