CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:redhat:openshift_container_platform:3.3:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openshift_container_platform:3.5:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:storage_console:2.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization:4.1:*:*:*:*:*:*:*
cpe:2.3:a:redhat:virtualization_manager:4.1:*:*:*:*:*:*:*

Configuration 2 (hide)

AND
cpe:2.3:a:redhat:gluster_storage:3.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*

Configuration 3 (hide)

OR cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*

Configuration 4 (hide)

OR cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*

Configuration 5 (hide)

cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*

History

04 Aug 2021, 17:15

Type Values Removed Values Added
CPE cpe:2.3:a:redhat:openstack:10.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:11.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:11:*:*:*:*:*:*:*
cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*

Information

Published : 2018-07-19 13:29

Updated : 2024-02-04 20:03


NVD link : CVE-2017-7481

Mitre link : CVE-2017-7481

CVE.ORG link : CVE-2017-7481


JSON object : View

Products Affected

redhat

  • storage_console
  • gluster_storage
  • virtualization
  • virtualization_manager
  • openshift_container_platform
  • openstack
  • enterprise_linux
  • ansible_engine

debian

  • debian_linux

canonical

  • ubuntu_linux
CWE
CWE-20

Improper Input Validation