Bug 2028074 (CVE-2021-4041) - CVE-2021-4041 Ansible: Improper shell escaping in ansible-runner
Summary: CVE-2021-4041 Ansible: Improper shell escaping in ansible-runner
Alias: CVE-2021-4041
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 2180720 2028406 2180515 2180516 2180721 2180722 2180723 2182373 2182750
Blocks: 2015241
TreeView+ depends on / blocked
Reported: 2021-12-01 12:48 UTC by Vipul Nair
Modified: 2023-08-02 09:22 UTC (History)
58 users (show)

Fixed In Version: ansible-runner 2.1.0
Doc Type: ---
Doc Text:
A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.
Clone Of:
Last Closed: 2022-01-11 22:00:41 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:0108 0 None None None 2022-01-11 20:55:17 UTC

Description Vipul Nair 2021-12-01 12:48:35 UTC
An improper escape on the line,could lead to unsuspecting developer execute code on the host machine rather than virtual one

Comment 3 Salvatore Bonaccorso 2021-12-12 10:07:16 UTC
There is an upstream change in 2.1.0 which removes the shell use in subprocess:

Comment 6 errata-xmlrpc 2022-01-11 20:55:14 UTC
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.0 for RHEL 8

Via RHSA-2022:0108 https://access.redhat.com/errata/RHSA-2022:0108

Comment 7 Product Security DevOps Team 2022-01-11 22:00:39 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Comment 8 Vipul Nair 2023-03-21 15:54:16 UTC
Created python-ansible-runner tracking bugs for this issue:

Affects: epel-7 [bug 2180515]
Affects: openstack-rdo [bug 2180516]

Note You need to log in before you can comment on or make changes to this bug.