PT-2018-5101 · Red Hat+2 · Ansible+2

Kurt Seifried

Published

2017-03-30

Updated

2026-06-03

CVE-2016-9587

CVSS v2.0

9.3

Critical

Vector

AV:N/AC:M/Au:N/C:C/I:C/A:C

Name of the Vulnerable Software and Affected Versions Ansible versions prior to 2.1.4 Ansible versions prior to 2.2.1

Description The issue is related to improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Recommendations For versions prior to 2.1.4, update to version 2.1.4 or later. For versions prior to 2.2.1, update to version 2.2.1 or later. As a temporary workaround, consider restricting the ability of client systems to send facts back to the Ansible server until a patch is applied.

Exploit

Fix

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-20

Related Identifiers

ALT-PU-2017-1386

CVE-2016-9587

GHSA-M956-FRF4-M2WR

OPENSUSE-SU-2017:2976-1

OPENSUSE-SU-2017:2978-1

OPENSUSE-SU-2024:10615-1

OPENSUSE-SU-2024:14244-1

OPENSUSE-SU-2024:14536-1

OPENSUSE-SU-2025:15605-1

OPENSUSE-SU-2025:15753-1

OPENSUSE-SU-2026:10944-1

PYSEC-2018-39

RHSA-2017:0195

RHSA-2017:0260

RHSA-2017:0448

RHSA-2017:0515

RHSA-2017:1685

SUSE-SU-2017:3029-1

SUSE-SU-2020:3309-1

SUSE-SU-2024:1427-1

SUSE-SU-2024:1509-1

Affected Products

Alt Linux

Ansible

Ansible-Core

PT-2018-5101 · Red Hat+2 · Ansible+2

CVE-2016-9587

Weakness Enumeration

Related Identifiers

Affected Products

References · 178