CVE-2017-7481 MEDIUM

CVE-2017-7481

Vendor [Unknown]
Product ansible
Weakness CWE-20 · Input validation
Published July 19, 2018
Last update August 5, 2024

CVSS base score

5.3/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

What the vulnerability does

01Description

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.

Key dates

02Disclosure timeline

July 19, 2018 CVE published
August 5, 2024 Record updated