Critical severity9.8NVD Advisory· Published Jul 19, 2018· Updated Jun 17, 2026
CVE-2017-7481
CVE-2017-7481
Description
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.3.0.0, < 2.3.1.0 | 2.3.1.0 |
ansiblePyPI | < 2.1.6.0 | 2.1.6.0 |
ansiblePyPI | >= 2.2.0.0, < 2.2.3.0 | 2.2.3.0 |
Affected products
10- ghsa-coords10 versionspkg:pypi/ansiblepkg:rpm/opensuse/ansible-10&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-11&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-12&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-13&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-9&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%207pkg:rpm/suse/ansible&distro=SUSE%20Package%20Hub%2012pkg:rpm/suse/ansible&distro=SUSE%20Package%20Hub%2015pkg:rpm/suse/monasca-installer&distro=SUSE%20OpenStack%20Cloud%207
>= 2.3.0.0, < 2.3.1.0+ 9 more
- (no CPE)range: >= 2.3.0.0, < 2.3.1.0
- (no CPE)range: < 10.6.0-1.1
- (no CPE)range: < 11.11.0-1.1
- (no CPE)range: < 12.2.0-1.1
- (no CPE)range: < 13.7.0-1.1
- (no CPE)range: < 9.8.0-1.1
- (no CPE)range: < 2.2.3.0-5.1
- (no CPE)range: < 2.4.1.0-6.1
- (no CPE)range: < 2.7.6-bp150.3.3.1
- (no CPE)range: < 20170912_10.45-5.1
Patches
Vulnerability mechanics
References
19- bugzilla.redhat.com/show_bug.cginvdIssue TrackingPatchVendor AdvisoryWEB
- github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2nvdPatchThird Party AdvisoryWEB
- www.securityfocus.com/bid/98492nvdThird Party AdvisoryVDB Entry
- access.redhat.com/errata/RHSA-2017:1244nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1334nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1476nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1499nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:1599nvdVendor AdvisoryWEB
- access.redhat.com/errata/RHSA-2017:2524nvdVendor AdvisoryWEB
- github.com/advisories/GHSA-w578-j992-554xghsaADVISORY
- lists.debian.org/debian-lts-announce/2021/01/msg00023.htmlnvdMailing ListThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-7481ghsaADVISORY
- usn.ubuntu.com/4072-1/nvdThird Party Advisory
- github.com/ansible/ansible/commit/a1886911fcf4b691130cfc70dfc5daa5e07c46a3ghsaWEB
- github.com/ansible/ansible/commit/f0e348f5eeb70c1fb3127d90891da43b5c0a9d29ghsaWEB
- github.com/ansible/ansible/commit/fd30f5328986f9e1da434474481f32bf918a600cghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-41.yamlghsaWEB
- usn.ubuntu.com/4072-1ghsaWEB
- web.archive.org/web/20170801122609/http://www.securityfocus.com/bid/98492ghsaWEB
News mentions
0No linked articles in our index yet.