Critical severityNVD Advisory· Published Jul 31, 2018· Updated Aug 6, 2024
CVE-2016-8628
CVE-2016-8628
Description
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | < 2.2.0.0 | 2.2.0.0 |
Affected products
1Patches
135938b907dfcFilter out internal magic and connection variables from facts returns
2 files changed · +32 −0
lib/ansible/plugins/action/__init__.py+27 −0 modified@@ -38,6 +38,7 @@ from ansible.module_utils._text import to_bytes, to_native, to_text from ansible.module_utils.json_utils import _filter_non_json_lines from ansible.parsing.utils.jsonify import jsonify +from ansible.playbook.play_context import MAGIC_VARIABLE_MAPPING from ansible.release import __version__ @@ -670,6 +671,32 @@ def _parse_returned_data(self, res): display.warning(w) data = json.loads(filtered_output) data['_ansible_parsed'] = True + if 'ansible_facts' in data and isinstance(data['ansible_facts'], dict): + remove_keys = set() + fact_keys = set(data['ansible_facts'].keys()) + # first we add all of our magic variable names to the set of + # keys we want to remove from facts + for magic_var in MAGIC_VARIABLE_MAPPING: + remove_keys.update(fact_keys.intersection(MAGIC_VARIABLE_MAPPING[magic_var])) + # next we remove any connection plugin specific vars + for conn_path in self._shared_loader_obj.connection_loader.all(path_only=True): + try: + conn_name = os.path.splitext(os.path.basename(conn_path))[0] + re_key = re.compile('^ansible_%s_' % conn_name) + for fact_key in fact_keys: + if re_key.match(fact_key): + remove_keys.add(fact_key) + except AttributeError: + pass + # finally, we search for interpreter keys to remove + re_interp = re.compile('^ansible_.*_interpreter$') + for fact_key in fact_keys: + if re_interp.match(fact_key): + remove_keys.add(fact_key) + # then we remove them (except for ssh host keys) + for r_key in remove_keys: + if not r_key.startswith('ansible_ssh_host_key_'): + del data['ansible_facts'][r_key] except ValueError: # not valid json, lets try to capture error data = dict(failed=True, _ansible_parsed=False)
lib/ansible/plugins/__init__.py+5 −0 modified@@ -373,6 +373,7 @@ def _display_plugin_load(self, class_name, name, searched_paths, path, found_in_ def all(self, *args, **kwargs): ''' instantiates all plugins with the same arguments ''' + path_only = kwargs.pop('path_only', False) class_only = kwargs.pop('class_only', False) all_matches = [] found_in_cache = True @@ -385,6 +386,10 @@ def all(self, *args, **kwargs): if '__init__' in name: continue + if path_only: + yield path + continue + if path not in self._module_cache: self._module_cache[path] = self._load_module_source(name, path) found_in_cache = False
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- access.redhat.com/errata/RHSA-2016:2778ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jg4f-jqm5-4mgqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-8628ghsaADVISORY
- www.securityfocus.com/bid/94109mitrevdb-entryx_refsource_BID
- bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/ansible/ansible/commit/35938b907dfcd1106ca40b794f0db446bdb8cf09ghsaWEB
- github.com/ansible/ansible/issues/41903ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-38.yamlghsaWEB
- web.archive.org/web/20200227214455/http://www.securityfocus.com/bid/94109ghsaWEB
News mentions
0No linked articles in our index yet.