9.8
CVE-2017-7481
- EPSS 3.69%
- Published 19.07.2018 13:29:00
- Last modified 21.11.2024 03:31:59
- Source secalert@redhat.com
- Teams watchlist Login
- Open Login
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
Data is provided by the National Vulnerability Database (NVD)
Redhat ≫ Openshift Container Platform Version3.3
Redhat ≫ Openshift Container Platform Version3.4
Redhat ≫ Openshift Container Platform Version3.5
Redhat ≫ Storage Console Version2.0
Redhat ≫ Virtualization Version4.1
Redhat ≫ Virtualization Manager Version4.1
Redhat ≫ Gluster Storage Version3.2
Redhat ≫ Ansible Engine Version < 2.3.1.0
Redhat ≫ Ansible Engine Version >= 2.3.2.0 < 2.4.0.0
Canonical ≫ Ubuntu Linux Version16.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version18.04 SwEditionlts
Canonical ≫ Ubuntu Linux Version19.04
Debian ≫ Debian Linux Version9.0
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
| Type | Source | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 3.69% | 0.875 |
| Source | Base Score | Exploit Score | Impact Score | Vector string |
|---|---|---|---|---|
| nvd@nist.gov | 9.8 | 3.9 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
|
| nvd@nist.gov | 7.5 | 10 | 6.4 |
AV:N/AC:L/Au:N/C:P/I:P/A:P
|
| secalert@redhat.com | 5.3 | 1.6 | 3.6 |
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
|
CWE-20 Improper Input Validation
The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.