{"id":"PYSEC-2022-253","details":"A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.","aliases":["CVE-2021-4041","GHSA-6j58-grhv-2769"],"modified":"2023-11-01T04:56:20.018348Z","published":"2022-08-24T16:15:00Z","references":[{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2028074"},{"type":"WEB","url":"https://access.redhat.com/security/cve/CVE-2021-4041"},{"type":"FIX","url":"https://github.com/ansible/ansible-runner/commit/3533f265f4349a3f2a0283158cd01b59a6bbc7bd"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-6j58-grhv-2769"}],"affected":[{"package":{"name":"ansible-runner","ecosystem":"PyPI","purl":"pkg:pypi/ansible-runner"},"ranges":[{"type":"GIT","repo":"https://github.com/ansible/ansible-runner","events":[{"introduced":"0"},{"fixed":"3533f265f4349a3f2a0283158cd01b59a6bbc7bd"}]},{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.0"}]}],"versions":["1.0.1","1.0.2","1.0.3","1.0.4","1.0.5","1.1.0","1.1.1","1.1.2","1.2.0","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.4.0","1.4.1","1.4.2","1.4.4","1.4.5","1.4.6","1.4.7","1.4.8","1.4.9","2.0.0","2.0.0.0a5","2.0.0.0b1","2.0.0.0rc1","2.0.0.0rc2","2.0.0.0rc3","2.0.0a1","2.0.0a2","2.0.0a3","2.0.0a4","2.0.1","2.0.2","2.0.3","2.0.4","2.1.0.0a1","2.1.0.0a2","2.1.0.0b1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/ansible-runner/PYSEC-2022-253.yaml"}}],"schema_version":"1.7.3"}