High severity7.5NVD Advisory· Published Sep 14, 2017· Updated May 13, 2026
CVE-2017-2809
CVE-2017-2809
Description
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansible-vaultPyPI | < 1.0.5 | 1.0.5 |
Affected products
2- cpe:2.3:a:ansible-vault_project:ansible-vault:*:*:*:*:*:*:*:*Range: <=1.0.4
- Tomohiro Nakamura/ansible-vaultv5Range: 1.0.4
Patches
13f8f659ef443Fix security issue refs #4
10 files changed · +55 −29
ansible_vault/api.py+1 −1 modified@@ -15,7 +15,7 @@ def __init__(self, password): def load(self, stream): '''read vault steam and return python object''' - return yaml.load(self.vault.decrypt(stream)) + return yaml.safe_load(self.vault.decrypt(stream)) def dump(self, data, stream=None): '''encrypt data and print stdout or write to stream'''
ansible_vault/test/file/pwned.txt+7 −0 added@@ -0,0 +1,7 @@ +$ANSIBLE_VAULT;1.1;AES256 +31616433623434626463363932323936663066353063393731346536636437633463633137643032 +3663656431663830396662646132343735623538346330640a363532326262353732636161633431 +61353936346235396464333333653831356638393264343662363362653433353762396663653465 +6439366430336336660a363931663030323665633136363362353162333864653933653763656462 +31656431653333343834623731393263393865353831333963616165613237376630646665306363 +6238373037663462343565643737303136333032386136356438
ansible_vault/test/test_api.py+8 −2 modified@@ -1,9 +1,9 @@ import os from tempfile import mkstemp -from testfixtures import ShouldRaise - from ansible.errors import AnsibleError +from testfixtures import ShouldRaise +from yaml.constructor import ConstructorError here = os.path.dirname(os.path.abspath(__file__)) @@ -28,6 +28,12 @@ def test_cannot(self): with ShouldRaise(AnsibleError('Decryption failed')): vault.load(open(fpath).read()) + def test_not_pwned(self): + fpath = os.path.join(here, 'file', 'pwned.txt') + vault = self._makeOne('password') + with ShouldRaise(ConstructorError): + vault.load(open(fpath).read()) + class TestVaultDump(object): def _getTargetClass(self):
CHANGES.txt+10 −0 modified@@ -1,3 +1,13 @@ +1.0.5 (2017/09/13) + +* Update to use yaml.safe_load()$ +* Update to tomoh1r$ + +1.0.4 (2015/11/29) + +* Apply to Ansible 2 +* Add unit tests + 1.0.3 (2015/05/18) * fix README.rst typo
README.rst+2 −2 modified@@ -2,8 +2,8 @@ ansible-vault ============= -.. image:: https://travis-ci.org/jptomo/ansible-vault.svg?branch=master - :target: https://travis-ci.org/jptomo/ansible-vault +.. image:: https://travis-ci.org/tomoh1r/ansible-vault.svg?branch=master + :target: https://travis-ci.org/tomoh1r/ansible-vault This project aim to R/W an ansible-vault yaml file
README_test.rst+1 −0 modified@@ -12,4 +12,5 @@ how to test .. code-block:: console + $ ./venvtest/bin/python setup.py setup_test $ ./venvtest/bin/python setup.py test
setup.cfg+8 −0 modified@@ -1,2 +1,10 @@ [metadata] description-file = README.rst + +[aliases] +setup_test = develop easy_install ansible-vault[test] +release = register clean --all sdist + +[tools:pytest] +norecursedirs = venv +testpaths = ansible_vault/test
setup.py+5 −3 modified@@ -32,19 +32,21 @@ def run_tests(self): setup( name='ansible-vault', - version='1.0.4', + version='1.0.5', author='Tomohiro NAKAMURA', author_email='quickness.net@gmail.com', - url='https://github.com/jptomo/ansible-vault', + url='https://github.com/tomoh1r/ansible-vault', description='R/W an ansible-vault yaml file', long_description=_read('README.rst'), packages=find_packages(), install_requires=['ansible'], - tests_require=['pytest', 'testfixtures'], cmdclass={'test': PyTest}, classifiers=[ 'Development Status :: 5 - Production/Stable', 'License :: OSI Approved :: GNU General Public License v3 (GPLv3)', ], license='GPLv3', + extras_require = { + 'test': ['pytest', 'testfixtures'], + } )
tox.ini+0 −14 removed@@ -1,14 +0,0 @@ -[tox] -envlist = py27, py27-ansible2 -setupdir = . - -[testenv] -basepython = python2.7 - -[testenv:py27] -commands = python2.7 setup.py test - -[testenv:py27-ansible2] -commands = - pip install -U git+https://github.com/ansible/ansible.git@stable-2.0#egg=ansible - python2.7 setup.py test
.travis.yml+13 −7 modified@@ -1,14 +1,20 @@ --- language: python sudo: false +cache: + directories: + - $HOME/.cache/pip python: -- 2.7 -env: - matrix: - - TOXENV=py27 - - TOXENV=py27-ansible2 + - "2.7" + - "3.3" + - "3.4" + - "3.5" + - "3.6" install: - - pip install tox -script: tox + - python -m pip install -U setuptools pip + - python setup.py setup_test +script: + - python -m pytest + - if [ "$TRAVIS_PYTHON_VERSION" == '2.7' ] ; then python -m pip install -U 'ansible<2.0.0' && python -m pytest ; fi # vim:st=2 sts=2 sw=2:
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
9- www.talosintelligence.com/vulnerability_reports/TALOS-2017-0305nvdExploitThird Party AdvisoryWEB
- www.securityfocus.com/bid/100824nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-c2w9-48qc-qpj4ghsaADVISORY
- github.com/tomoh1r/ansible-vault/blob/v1.0.5/CHANGES.txtnvdThird Party AdvisoryWEB
- github.com/tomoh1r/ansible-vault/commit/3f8f659ef443ab870bb19f95d43543470168ae04nvdThird Party AdvisoryWEB
- github.com/tomoh1r/ansible-vault/issues/4nvdThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-2809ghsaADVISORY
- github.com/pypa/advisory-database/tree/main/vulns/ansible-vault/PYSEC-2017-5.yamlghsaWEB
- web.archive.org/web/20171206173637/http://www.securityfocus.com/bid/100824ghsaWEB
News mentions
0No linked articles in our index yet.