CVE-2014-4966

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') in pypi/ansible

Identifiers

GHSA-wqq5-c89p-3wc3, CVE-2014-4966

Package Slug

pypi/ansible

Vulnerability

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

Description

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

Affected Versions

All versions before 1.6.7

Solution

Upgrade to version 1.6.7 or above.

Last Modified

2024-01-31

source