CVE-2016-9587
moderate-risk
Published 2018-04-24
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
Do I need to act?
~
4.1% chance of exploitation in next 30 days
EPSS score — moderate exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
8
CVSS 8.1/10
High
NETWORK
/ HIGH complexity
References (18)
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0195.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0260.html
Third Party Advisory
http://www.securityfocus.com/bid/95352
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0448
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0515
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1685
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587
Third Party Advisory
https://security.gentoo.org/glsa/201701-77
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0195.html
Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2017-0260.html
Third Party Advisory
http://www.securityfocus.com/bid/95352
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0448
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:0515
Third Party Advisory
https://access.redhat.com/errata/RHSA-2017:1685
Issue Tracking
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587
Third Party Advisory
https://security.gentoo.org/glsa/201701-77
40
/ 100
moderate-risk
Severity
24/34 · High
Exploitability
7/34 · Low
Exposure
9/34 · Low