9.8

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
RedhatOpenstack Version10
RedhatOpenstack Version11
RedhatStorage Console Version2.0
RedhatVirtualization Version4.1
RedhatGluster Storage Version3.2
   RedhatEnterprise Linux Version7.0
RedhatAnsible Engine Version < 2.3.1.0
RedhatAnsible Engine Version >= 2.3.2.0 < 2.4.0.0
CanonicalUbuntu Linux Version16.04 SwEditionlts
CanonicalUbuntu Linux Version18.04 SwEditionlts
CanonicalUbuntu Linux Version19.04
DebianDebian Linux Version9.0
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 4.8% 0.909
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 9.8 3.9 5.9
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov 7.5 10 6.4
AV:N/AC:L/Au:N/C:P/I:P/A:P
secalert@redhat.com 5.3 1.6 3.6
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

https://access.redhat.com/errata/RHSA-2017:1244
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:1334
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:1476
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:1499
Vendor Advisory
https://access.redhat.com/errata/RHSA-2017:1599
Vendor Advisory
https://usn.ubuntu.com/4072-1/
Third Party Advisory
http://www.securityfocus.com/bid/98492
Third Party Advisory
VDB Entry
https://access.redhat.com/errata/RHSA-2017:2524
Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481
Patch
Vendor Advisory
Issue Tracking
https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2
Patch
Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
Third Party Advisory
Mailing List