CVE-2014-4966 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2014-4966 Interim 1 15 2025-11-05T05:04:59Z current 2021-05-30T13:22:16Z 2025-11-05T05:04:59Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2014-4966 Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/7LWEIR2LXW4QRWCY6HDMLUO2OTX5OZIC/ E-Mail link for openSUSE-SU-2024:14536-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise Server 16.0 SUSE Manager Client Tools Beta for SLE 15 SUSE Manager Client Tools for SLE 15 SUSE Manager Proxy Module 4.2 SUSE Manager Proxy Module 4.3 SUSE OpenStack Cloud 7 openSUSE Leap 15.5 openSUSE Leap 15.6 openSUSE Tumbleweed ansible ansible-10-10.6.0-1.1 ansible-11-11.11.0-1.1 ansible-11.3.0-160000.3.2 ansible-2.2.0.0-1.1 ansible-9-9.8.0-1.1 ansible-doc ansible-test ansible-11.3.0-160000.3.2 as a component of SUSE Linux Enterprise Server 16.0 ansible-2.2.0.0-1.1 as a component of openSUSE Tumbleweed ansible-10-10.6.0-1.1 as a component of openSUSE Tumbleweed ansible-11-11.11.0-1.1 as a component of openSUSE Tumbleweed ansible-9-9.8.0-1.1 as a component of openSUSE Tumbleweed ansible as a component of SUSE Manager Client Tools Beta for SLE 15 ansible as a component of SUSE Manager Client Tools for SLE 15 ansible as a component of SUSE Manager Proxy Module 4.2 ansible-doc as a component of SUSE Manager Proxy Module 4.2 ansible as a component of SUSE Manager Proxy Module 4.3 ansible-doc as a component of SUSE Manager Proxy Module 4.3 ansible as a component of SUSE OpenStack Cloud 7 ansible as a component of openSUSE Leap 15.5 ansible-doc as a component of openSUSE Leap 15.5 ansible-test as a component of openSUSE Leap 15.5 ansible as a component of openSUSE Leap 15.6 Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. CVE-2014-4966 SUSE Linux Enterprise Server 16.0:ansible-11.3.0-160000.3.2 openSUSE Tumbleweed:ansible-2.2.0.0-1.1 openSUSE Tumbleweed:ansible-10-10.6.0-1.1 openSUSE Tumbleweed:ansible-11-11.11.0-1.1 openSUSE Tumbleweed:ansible-9-9.8.0-1.1 SUSE Manager Client Tools Beta for SLE 15:ansible SUSE Manager Client Tools for SLE 15:ansible SUSE Manager Proxy Module 4.2:ansible SUSE Manager Proxy Module 4.2:ansible-doc SUSE Manager Proxy Module 4.3:ansible SUSE Manager Proxy Module 4.3:ansible-doc SUSE OpenStack Cloud 7:ansible openSUSE Leap 15.5:ansible openSUSE Leap 15.5:ansible-doc openSUSE Leap 15.5:ansible-test openSUSE Leap 15.6:ansible critical 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H