CVE-2014-4966

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
Configurations

Configuration 1 (hide)

cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2020-02-18 15:15

Updated : 2024-02-04 20:39


NVD link : CVE-2014-4966

Mitre link : CVE-2014-4966

CVE.ORG link : CVE-2014-4966


JSON object : View

Products Affected

redhat

  • ansible
CWE
CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')