Candidate: CVE-2014-4678
PublicDate: 2020-02-20 03:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4678
 https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
Description:
 The safe_eval function in Ansible before 1.6.4 does not properly restrict
 the code subset, which allows remote attackers to execute arbitrary code
 via crafted instructions. NOTE: this vulnerability exists because of an
 incomplete fix for CVE-2014-4657.
Ubuntu-Description:
 It was discovered that Ansible mishandled certain input. A remote attacker
 could use this to execute arbitrary code.
Notes:
 seth-arnold> This CVE was the result of an incomplete fix for CVE-2014-4657
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H [9.8 CRITICAL]

Patches_ansible:
 upstream: https://github.com/ansible/ansible/commit/5429b85b9f6c2e640074176f36ff05fd5e4d1916
upstream_ansible: released (1.6.6+dfsg-1)
lucid_ansible: DNE
precise_ansible: DNE
precise/esm_ansible: DNE
saucy_ansible: ignored (reached end-of-life)
trusty_ansible: ignored (out of standard support)
trusty/esm_ansible: released (1.5.4+dfsg-1ubuntu0.1~esm2)
utopic_ansible: ignored (reached end-of-life)
vivid_ansible: ignored (reached end-of-life)
vivid/stable-phone-overlay_ansible: DNE
vivid/ubuntu-core_ansible: DNE
wily_ansible: ignored (reached end-of-life)
xenial_ansible: not-affected (1.6.6+dfsg-1)
yakkety_ansible: ignored (reached end-of-life)
zesty_ansible: ignored (reached end-of-life)
artful_ansible: not-affected (1.6.6+dfsg-1)
bionic_ansible: not-affected (1.6.6+dfsg-1)
cosmic_ansible: not-affected (1.6.6+dfsg-1)
disco_ansible: not-affected (1.6.6+dfsg-1)
eoan_ansible: not-affected (1.6.6+dfsg-1)
focal_ansible: not-affected (1.6.6+dfsg-1)
groovy_ansible: not-affected (1.6.6+dfsg-1)
hirsute_ansible: not-affected (1.6.6+dfsg-1)
impish_ansible: not-affected (1.6.6+dfsg-1)
jammy_ansible: not-affected (1.6.6+dfsg-1)
devel_ansible: not-affected (1.6.6+dfsg-1)