CVE-2017-7481 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2017-7481 Interim 1 22 2023-09-07T00:57:28Z current 2021-05-30T13:54:40Z 2023-09-07T00:57:28Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2017-7481 Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.suse.com/pipermail/sle-security-updates/2017-November/003400.html E-Mail link for SUSE-SU-2017:3029-1 https://lists.opensuse.org/opensuse-updates/2017-11/msg00027.html E-Mail link for openSUSE-SU-2017:2976-1 https://lists.opensuse.org/opensuse-updates/2017-11/msg00029.html E-Mail link for openSUSE-SU-2017:2978-1 https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00057.html E-Mail link for openSUSE-SU-2019:0238-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 11 SP3-TERADATA SUSE OpenStack Cloud 7 SUSE Package Hub 12 SUSE Package Hub 15 openSUSE Tumbleweed ansible-2.2.0.0-10.1 ansible-2.2.3.0-5.1 ansible-2.4.1.0-6.1 ansible-2.7.6-bp150.3.3.1 ansible-2.9.24-1.2 ansible-doc-2.9.24-1.2 ansible-test-2.9.24-1.2 monasca-installer-20170912_10.45-5.1 ansible-2.2.0.0-10.1 as a component of SUSE Linux Enterprise Server 11 SP3-TERADATA ansible-2.2.3.0-5.1 as a component of SUSE OpenStack Cloud 7 monasca-installer-20170912_10.45-5.1 as a component of SUSE OpenStack Cloud 7 ansible-2.4.1.0-6.1 as a component of SUSE Package Hub 12 ansible-2.7.6-bp150.3.3.1 as a component of SUSE Package Hub 15 ansible-2.9.24-1.2 as a component of openSUSE Tumbleweed ansible-doc-2.9.24-1.2 as a component of openSUSE Tumbleweed ansible-test-2.9.24-1.2 as a component of openSUSE Tumbleweed Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. CVE-2017-7481 SUSE Linux Enterprise Server 11 SP3-TERADATA:ansible-2.2.0.0-10.1 SUSE OpenStack Cloud 7:ansible-2.2.3.0-5.1 SUSE OpenStack Cloud 7:monasca-installer-20170912_10.45-5.1 SUSE Package Hub 12:ansible-2.4.1.0-6.1 SUSE Package Hub 15:ansible-2.7.6-bp150.3.3.1 openSUSE Tumbleweed:ansible-2.9.24-1.2 openSUSE Tumbleweed:ansible-doc-2.9.24-1.2 openSUSE Tumbleweed:ansible-test-2.9.24-1.2 moderate 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 5.3 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N