CVE-2014-4678

Published: Feb 20, 2020Modified: Nov 21, 2024

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: NVD

Description

The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.

Affected (4)

Products: Redhat: Ansible · Debian: Debian Linux

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Redhat Ansible	Before 1.6.4

Configuration B

3 vulnerable

Vulnerable Software	Affected Versions
Debian Debian Linux	Version 10.0
Debian Debian Linux	Version 8.0
Debian Debian Linux	Version 9.0

Related CWEs

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.

References (14)

https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916

Source: secalert@redhat.com

PatchThird Party Advisory

https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ

Source: secalert@redhat.com

Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2014-4678

Source: secalert@redhat.com

Third Party Advisory

https://www.openwall.com/lists/oss-security/2014/06/26/30

Source: secalert@redhat.com

Mailing ListPatchThird Party Advisory

https://www.openwall.com/lists/oss-security/2014/07/02/2

Source: secalert@redhat.com

Mailing ListPatchThird Party Advisory

https://www.rapid7.com/db/vulnerabilities/freebsd-vid-2c493ac8-205e-11e5-a4a5-002590263bf5

Source: secalert@redhat.com

Third Party Advisory

https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-4678

Source: secalert@redhat.com

Third Party Advisory

https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916

Source: af854a3a-2127-422b-91ae-364da2661108

PatchThird Party Advisory

https://groups.google.com/forum/message/raw?msg=ansible-announce/ieV1vZvcTXU/5Q93ThkY9rIJ

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://security-tracker.debian.org/tracker/CVE-2014-4678

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.openwall.com/lists/oss-security/2014/06/26/30

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://www.openwall.com/lists/oss-security/2014/07/02/2

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListPatchThird Party Advisory

https://www.rapid7.com/db/vulnerabilities/freebsd-vid-2c493ac8-205e-11e5-a4a5-002590263bf5

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

https://www.rapid7.com/db/vulnerabilities/gentoo-linux-cve-2014-4678

Source: af854a3a-2127-422b-91ae-364da2661108

Third Party Advisory

Timeline

No history available yet.