Jimi-C

**Name of the Vulnerable Software and Affected Versions** Ansible versions 2.3.1.0 and 2.4.0.0 and earlier **Description** The issue is related to insufficient input validation in Ansible. An attacker could exploit this by controlling the results of `lookup()` calls, injecting Unicode strings to be parsed by the `jinja2` templating system, resulting in code execution. By default, the `jinja2` templating language is now marked as 'unsafe' and is not evaluated. **Recommendations** For Ansible versions prior to 2.3.1.0 and 2.4.0.0, update to version 2.3.1.0 or 2.4.0.0 or later to resolve the issue. As a temporary workaround, consider disabling the `jinja2` templating language until a patch is available. Restrict access to the `lookup()` function to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ansible versions prior to 1.6.7 **Description** The issue allows remote attackers to execute arbitrary code via crafted lookup('pipe') calls or crafted Jinja2 data, due to the lack of prevention of inventory data with "{{" and "lookup" substrings, and remote data with "{{" substrings. **Recommendations** For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of lookup('pipe') calls and crafted Jinja2 data to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ansible versions prior to 1.6.7 **Description** The issue allows remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact. This can be achieved with a fact that includes specific clauses, such as a trailing `src=` clause, a trailing `temp=` clause, or a trailing `validate=` clause accompanied by a shell command. **Recommendations** For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue. As a temporary workaround, consider restricting access to managed hosts and validating all facts to prevent the execution of arbitrary code. Avoid using facts with trailing clauses such as `src=`, `temp=`, or `validate=` accompanied by shell commands until the issue is resolved.