A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.
2.12.0-12.12.0-1ubuntu0.17.7.0+dfsg-17.7.0+dfsg-39.2.0+dfsg-0ubuntu49.2.0+dfsg-0ubuntu52.14.11-12.14.11-22.14.13-12.14.9-22.16.3-0ubuntu12.16.3-0ubuntu211.2.0+dfsg-112.0.0~a2+dfsg-112.0.0~a4+dfsg-112.0.0~a6+dfsg-112.0.0~b1+dfsg-12.18.1-4ubuntu12.19.0-1ubuntu12.19.0~beta4-1ubuntu112.0.0+dfsg-112.0.0~b1+dfsg-112.2.0+dfsg-113.1.0+dfsg-113.1.0+dfsg-1ubuntu12.19.0-1ubuntu12.19.4-12.20.1-11.1+dfsg-11.3.4+dfsg-11.4.0+dfsg-11.4.1+dfsg-11.4.3+dfsg-11.4.4+dfsg-11.5.4+dfsg-11.5.4+dfsg-1ubuntu0.1~esm11.5.4+dfsg-1ubuntu0.1~esm21.5.4+dfsg-1ubuntu0.1~esm31.9.2+dfsg-21.9.4-12.0.0.2-22.0.0.2-2ubuntu12.0.0.2-2ubuntu1.12.0.0.2-2ubuntu1.22.0.0.2-2ubuntu1.32.0.0.2-2ubuntu1.3+esm12.0.0.2-2ubuntu1.3+esm22.0.0.2-2ubuntu1.3+esm3+3 more2.3.1.0+dfsg-22.5.0+dfsg-12.5.1+dfsg-12.5.1+dfsg-1ubuntu0.12.5.1+dfsg-1ubuntu0.1+esm12.5.1+dfsg-1ubuntu0.1+esm22.5.1+dfsg-1ubuntu0.1+esm32.5.1+dfsg-1ubuntu0.1+esm42.5.1+dfsg-1ubuntu0.1+esm5Exploitability
AV:LAC:LPR:NUI:RScope
S:UImpact
C:HI:HA:HCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H