Skip to content
GitLab
Projects Groups Topics Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Register
  • Sign in
  • aports aports
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Graph
    • Compare revisions
  • Issues 663
    • Issues 663
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 295
    • Merge requests 295
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Releases
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • alpinealpine
  • aportsaports
  • Issues
  • #3247
Closed
Open
Issue created Jul 29, 2014 by Alexander Belous@belousa

ansible: input sanitization errors (CVE-2014-4966 CVE-2014-4967)

The Ansible project is an open source configuration management platform.

The Ansible platform suffers from input sanitization errors that allow
arbitrary code execution as well as information leak, in case an attacker is
able to control certain playbook variables.

The first vulnerability involves the escalation of a local permission access
level into arbitrary code execution. The code execution can be triggered by
interpolation of file names maliciously crafted as lookup plugin commands, in
combination with its pipe feature.

The second vulnerability concerns the unsafe parsing of action arguments in
the face of an attacker controlling variable data (whether fact data,
with_fileglob data, or other sources), allowing an attacker to supply their
own options to an action. The impact of this is dependent on the action
module the attacker targets. For example, an attacker controlling variables
passed to the copy or template actions would be able to trigger arbitrary
code execution (in addition to simple information leakage) via the validate
option’s acceptance of arbitrary shell code.

Affected version:

Ansible <= 1.6.6

Fixed version:

Ansible >= 1.6.7

Credit: vulnerability report received from Brian Harring <ferringb AT
gmail.com>.

CVE: CVE-2014-4966 (lookup function), CVE-2014-4967 (action arguments)

References:
http://www.ocert.org/advisories/ocert-2014-004.html

(from redmine: issue id 3247, created on 2014-07-29, closed on 2014-07-30)

  • Relations:
    • child #3248 (closed)
    • child #3249 (closed)
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information
Assignee
Assign to
Time tracking