CVE-2014-4657:
Ansible Remote Code Execution
9.8
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.83845%
CWE
Published
5/17/2022
Updated
9/6/2024
KEV Status
No
Technology
Python
PythonTechnical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| ansible | pip | < 1.5.4 | 1.5.4 |
Vulnerability Intelligence
Miggo AI
Miggo AIRoot Cause Analysis
The vulnerability stems from Ansible's safe_eval function in versions <1.5.4. The pre-patch code (CVE-2014-4657) used insecure regex checks (e.g., checking for 'import' or 'method()' patterns) instead of proper AST validation. The commit 998793f replaced this with an AST-based approach, adding a whitelist of allowed nodes (SAFE_NODES) and blocking dangerous functions (INVALID_CALLS). The original function's lack of these safeguards allowed attackers to craft expressions that bypassed regex checks and execute arbitrary code via unsafe Python constructs.