It was found that it's possible to inject code and gain remote code execution via setting ansible_ssh_executable variable by attacker that takes over of controlled server.
Name: Michael Scherer (Red Hat)
Created ansible1.9 tracking bugs for this issue:
Affects: fedora-all [bug 1390647]
Affects: epel-all [bug 1390649]
Created ansible tracking bugs for this issue:
Affects: fedora-all [bug 1390646]
Affects: epel-all [bug 1390648]
This issue is addressed in Ansible 2.2.0 available at:
Downgrading this issue from High to Medium as it requires a compromised server in order to exploit a client.
Updated affects, 1.9 is not affected.
This issue has been addressed in the following products:
Red Hat OpenShift Enterprise 3.2
Red Hat OpenShift Container Platform 3.3
Via RHSA-2016:2778 https://access.redhat.com/errata/RHSA-2016:2778