pipe lookup plugin enables shell by default #67792
Labels
affects_2.10
This issue/PR affects Ansible v2.10
bug
This issue/PR relates to a bug.
has_pr
This issue has an associated PR.
security
Related to a vulnerability or CVE
support:core
This issue/PR relates to code supported by the Ansible Engineering Team.
SUMMARY
CVE-2020-1734
The
pipelookup plugin should useshell=Falsebe default to avoid potential privilege escalation. A new option should provide a way to enableshell=True.If a variable is passed to the
pipelookup, that variable could be overriden via facts, leading to arbitrary code execution.Relevant code:
ansible/lib/ansible/plugins/lookup/pipe.py
Line 61 in 79dfae9
It seems like this change was made intentionally quite a while ago (#6550). Changing the default will probably break a lot of things for people.😞
ISSUE TYPE
COMPONENT NAME
lib/ansible/plugins/lookup/pipe.pyANSIBLE VERSION
CONFIGURATION
OS / ENVIRONMENT
STEPS TO REPRODUCE
EXPECTED RESULTS
ACTUAL RESULTS
The text was updated successfully, but these errors were encountered: