vulnerability
Ubuntu: (CVE-2014-4966): ansible vulnerability
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 8 | (AV:N/AC:L/Au:N/C:P/I:P/A:P) | Feb 18, 2020 | Nov 19, 2024 | Mar 27, 2026 |
Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
Feb 18, 2020
Added
Nov 19, 2024
Modified
Mar 27, 2026
Description
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
Solution
ubuntu-pro-upgrade-ansible
References
- CVE-2014-4966
- https://attackerkb.com/topics/CVE-2014-4966
- CWE-74
- EUVD-EUVD-2020-0016
- http://www.openwall.com/lists/oss-security/2014/07/22
- https://euvd.enisa.europa.eu/vulnerability/EUVD-2020-0016
- https://github.com/ansible/ansible/commit/84759faa0950146a6bae8452580b4a4cede6d871
- https://www.cve.org/CVERecord?id=CVE-2014-4966
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.