[GHSA-2pfh-q76x-gwvm] Improper Input Validation and Command Injection in Ansible

[stschmitt]

Updates

• Affected products
• References

[darakian]

Hey there. Thanks for the contribution, but where are you seeing 3.4.0 as a fixed version? Digging in to the release notes it looks like 3.4.0 uses ansible base version 2.10.9
https://github.com/ansible-community/ansible-build-data/blob/main/3/CHANGELOG-v3.rst

The PR you reference is tagged for versions from v2.12.0b1

[jhampson-dbre]

ansible 4.2 contains ansible-core 2.11.2 which contains the fix for CVE-2021-3583. I think the ansible CVEs are confusing since they split the ansible package into ansible and ansible-base (2.10) and then ansible-core (2.11).

However, CVE-2021-3583 is fixed in ansible 2.9.23 where there was just the single package. fixed": "2.9.23 , 4.2.0" might be more accurate here.
https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#v2923

[darakian]

Indeed they are confusing and yes 2.9.23 might make more sense as a fix version. @stschmitt, do you have any reference for 3.4.0 or does @jhampson-dbre's suggestion make more sense to you?