CVE-2016-9587

CVSS 6.6 MEDIUMEPSS 17.9%CWE-20

Vexday Risk Score

38Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 6.6EPSS 17.9%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado

Lifecycle

09 Jan 2017Public PoC

24 Apr 2018Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

Affected products

unspecified · Ansible

public PoCs found — 2

cve_referencewww.exploit-db.com/exploits/41013/unverified exploitdbwww.exploit-db.com/exploits/41013unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://rhn.redhat.com/errata/RHSA-2017-0195.html http://rhn.redhat.com/errata/RHSA-2017-0260.html https://access.redhat.com/errata/RHSA-2017:0448 https://access.redhat.com/errata/RHSA-2017:0515 https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587 https://security.gentoo.org/glsa/201701-77 https://www.exploit-db.com/exploits/41013/http://www.securityfocus.com/bid/95352