CVE-2014-4966

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Ansible versions prior to 1.6.7

Description The issue allows remote attackers to execute arbitrary code via crafted lookup('pipe') calls or crafted Jinja2 data, due to the lack of prevention of inventory data with "{{" and "lookup" substrings, and remote data with "{{" substrings.

Recommendations For versions prior to 1.6.7, update to version 1.6.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of lookup('pipe') calls and crafted Jinja2 data to minimize the risk of exploitation.

Fix

RCE

Special Elements Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-74

Related Identifiers

ALT-PU-2014-1957

CVE-2014-4966

GHSA-WQQ5-C89P-3WC3

MGASA-2014-0350

OPENSUSE-SU-2024:10326-1

OPENSUSE-SU-2024:14244-1

OPENSUSE-SU-2024:14536-1

OPENSUSE-SU-2025:15605-1

OPENSUSE-SU-2025:15753-1

PYSEC-2020-204

Affected Products

Alt Linux

Ansible

Ansible-Core

CVE-2014-4966

Weakness Enumeration

Related Identifiers

Affected Products

References · 72