CVE-2016-9587 MEDIUM

CVE-2016-9587

Vendor Unspecified
Product Ansible
Weakness CWE-20 · Input validation
Published April 24, 2018
Last update August 6, 2024

CVSS base score

6.6/10
Attack vector Network
Attack complexity High
Privileges required High
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Key dates

02Disclosure timeline

April 24, 2018 CVE published
August 6, 2024 Record updated