An improper escape on the line,could lead to unsuspecting developer execute code on the host machine rather than virtual one https://github.com/ansible/ansible-runner/blob/3d6886d1a26358ead139fef736d1c8ca07f7ab71/ansible_runner/runner.py#L257
There is an upstream change in 2.1.0 which removes the shell use in subprocess: https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.0 for RHEL 8 Via RHSA-2022:0108 https://access.redhat.com/errata/RHSA-2022:0108
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-4041
Created python-ansible-runner tracking bugs for this issue: Affects: epel-7 [bug 2180515] Affects: openstack-rdo [bug 2180516]