Опубликовано: 13 июл. 2018
Источник: github
Github: Прошло ревью
CVSS4: 8.5
CVSS3: 7.8
Описание
Code injection in ansible
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-2809
- https://github.com/tomoh1r/ansible-vault/issues/4
- https://github.com/tomoh1r/ansible-vault/commit/3f8f659ef443ab870bb19f95d43543470168ae04
- https://github.com/advisories/GHSA-c2w9-48qc-qpj4
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible-vault/PYSEC-2017-5.yaml
- https://github.com/tomoh1r/ansible-vault/blob/v1.0.5/CHANGES.txt
- https://web.archive.org/web/20171206173637/http://www.securityfocus.com/bid/100824
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0305
Пакеты
Наименование
ansible-vault
pip
Затронутые версииВерсия исправления
< 1.0.5
1.0.5
Связанные уязвимости
CVSS3: 7.5
nvd
больше 8 лет назад
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.