CVE-2014-4967: Ansible Arbitrary Code Execution

May 17, 2022 (updated September 10, 2024)

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command.

References

github.com/advisories/GHSA-64cw-m57j-65xj
github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-205.yaml
nvd.nist.gov/vuln/detail/CVE-2014-4967

Detect and mitigate CVE-2014-4967 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →