CVE-2017-7481
ansible - security update
9.8
CRITICAL
CVSS 3.1
EPSS 4.3%
Description
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
How to fix CVE-2017-7481
To remediate CVE-2017-7481, upgrade the affected package to a fixed version below.
- —upgrade to 2.3.1.0+dfsg-1 or later
- —upgrade to 2.2.1.0-2+deb9u2 or later
- —upgrade to 2.3.1.0 or later
- —upgrade to ed56f51f185a1ffd7ea57130d260098686fcc7c2 or later
Is CVE-2017-7481 being exploited?
Low — EPSS is 4.3%, meaning exploitation activity has not been observed at scale.
Affected packages (4)
- from 0, < 2.3.1.0+dfsg-1
- from 0, < 2.2.1.0-2+deb9u2
- >= 2.3.0.0, < 2.3.1.0
- from 0, < ed56f51f185a1ffd7ea57130d260098686fcc7c2 | from 0, < 2.3.1.0, >= 2.3.2.0, < 2.4.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | CRITICAL9.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |