CVE-2016-9587
Ansible is vulnerable to an improper input validation in Ansible's handling of data sent from client systems
8.1
HIGH
CVSS 3.1
EPSS 3.0%
Description
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
How to fix CVE-2016-9587
To remediate CVE-2016-9587, upgrade the affected package to a fixed version below.
- —upgrade to 2.1.4.0-r0 or later
- —upgrade to 2.2.0.0-3 or later
- —upgrade to 2.1.4.0 or later
- —upgrade to 2.1.4.0 or later
Is CVE-2016-9587 being exploited?
Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.1.4.0-r0
- from 0, < 2.2.0.0-3
- from 0, < 2.1.4.0
- from 0, < 2.1.4.0, >= 2.2.0.0, < 2.2.1.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |