Hi, I am maintaining ansible-runner. There is this bug (CVE-2021-4041) in the security tracker and I think the bug does not affect the version which I have uploaded.
This is the link to the bug: https://security-tracker.debian.org/tracker/CVE-2021-4041 This is the affected code: https://github.com/ansible/ansible-runner/blob/3d6886d1a26358ead139fef736d1c8ca07f7ab71/ansible_runner/runner.py#L257 Recent version from Debian: https://github.com/ansible/ansible-runner/blob/83b5d4e688d2563b0fe89e0a184e06879ca73eec/ansible_runner/runner.py#L260 I assume the " ".join(command) can lead to improper shell escaping. Therefore this method was removed from this line in the recent version. Correct me if I am wrong, then I will open a bug report for upstream. Thanks and Cheers, Saki
