An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
References
Link | Resource |
---|---|
https://access.redhat.com/errata/RHSA-2023:5701 | Vendor Advisory |
https://access.redhat.com/errata/RHSA-2023:5758 | Vendor Advisory |
https://access.redhat.com/security/cve/CVE-2023-5115 | Vendor Advisory |
https://bugzilla.redhat.com/show_bug.cgi?id=2233810 | Issue Tracking |
Configurations
Configuration 1 (hide)
AND |
|
Configuration 2 (hide)
AND |
|
Configuration 3 (hide)
AND |
|
Configuration 4 (hide)
|
History
16 Sep 2024, 15:15
Type | Values Removed | Values Added |
---|---|---|
References |
|
29 Dec 2023, 17:57
Type | Values Removed | Values Added |
---|---|---|
References |
|
|
References | () https://access.redhat.com/errata/RHSA-2023:5758 - Vendor Advisory | |
References | () https://access.redhat.com/security/cve/CVE-2023-5115 - Vendor Advisory | |
References | () https://access.redhat.com/errata/RHSA-2023:5701 - Vendor Advisory | |
References | () https://bugzilla.redhat.com/show_bug.cgi?id=2233810 - Issue Tracking | |
CWE | CWE-22 | |
CPE | cpe:2.3:a:redhat:ansible_automation_platform:2.4:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_inside:1.1:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_developer:1.1:*:*:*:*:*:*:* cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_inside:1.2:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_automation_platform:2.3:*:*:*:*:*:*:* cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_automation_platform:1.2:*:*:*:*:*:*:* cpe:2.3:a:redhat:ansible_developer:1.0:*:*:*:*:*:*:* |
|
CVSS |
v2 : v3 : |
v2 : unknown
v3 : 6.3 |
18 Dec 2023, 14:15
Type | Values Removed | Values Added |
---|---|---|
New CVE |
Information
Published : 2023-12-18 14:15
Updated : 2024-09-16 15:15
NVD link : CVE-2023-5115
Mitre link : CVE-2023-5115
CVE.ORG link : CVE-2023-5115
JSON object : View
Products Affected
debian
- debian_linux
redhat
- ansible_automation_platform
- ansible_developer
- ansible_inside
- enterprise_linux
CWE
CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')