CVE-2016-8628: Improper Neutralization of Special Elements used in a Command

October 10, 2018 (updated September 14, 2021)

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

References

github.com/advisories/GHSA-jg4f-jqm5-4mgq
nvd.nist.gov/vuln/detail/CVE-2016-8628

Detect and mitigate CVE-2016-8628 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →