CVE-2023-5115

CWE-36 CWE-22 — Path Traversal8 documents7 sources

Severity

6.3MEDIUM

EPSS

0.7%

top 27.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Debian Debian Linux Redhat Ansible Automation Platform Redhat Ansible Developer +1 more

Timeline

PublishedDec 18

Latest updateDec 28

Description

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:NExploitability: 2.1 | Impact: 4.2

Affected Packages6 packages

▶NVDredhat/ansible_automation_platform1.2, 2.3, 2.4+2

▶PyPIansible< 8.5.0

▶Debianansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1+3

▶Debianansible-core< 2.14.16-0+deb12u1+2

▶NVDredhat/ansible_inside1.1, 1.2+1

Also affects: Debian Linux 10.0

🔴Vulnerability Details

OSV

Ansible symlink attack vulnerability↗2023-12-28

▶

GHSA

Ansible symlink attack vulnerability↗2023-12-28

▶

CVEList

Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files↗2023-12-18

▶

OSV

CVE-2023-5115: An absolute path traversal attack exists in the Ansible automation platform↗2023-12-18

▶

📋Vendor Advisories

Microsoft

Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files↗2023-12-12

▶

Red Hat

Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files↗2023-09-21

▶

Debian

CVE-2023-5115: ansible - An absolute path traversal attack exists in the Ansible automation platform. Thi...↗2023

▶