—

PYSEC-2020-204

Details

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible

Introduced in: 0 Fixed in: 62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527

Fix pip install --upgrade 'ansible>=62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527'

References

https://github.com/ansible/ansible/commit/62a1295a3e08cb6c3e9f1b2a1e6e5dcaeab32527 [FIX]
http://www.ocert.org/advisories/ocert-2014-004.html [ADVISORY]