CVE-2023-5764: A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data…

high7.8CVSS 3.1

AVLACLPRLUINSUCHIHAH

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.

Affected

28 ranges· showing 25

Vendor	Product	Version range	Fixed in
debian	ansible	< ansible 5.4.0-1 (bookworm)	ansible 5.4.0-1 (bookworm)
debian	ansible-core	< ansible 5.4.0-1 (bookworm)	ansible 5.4.0-1 (bookworm)
fedoraproject	extra_packages_for_enterprise_linux	—	—
fedoraproject	fedora	—	—
fedoraproject	fedora	—	—
msrc	azl3_ansible_2.15.3-1_on_azure_linux_3.0	—	—
msrc	azl3_ansible_2.17.0-1_on_azure_linux_3.0	—	—
msrc	azure_linux_3.0_arm	—	—
msrc	azure_linux_3.0_x64	—	—
msrc	cbl2_ansible_2.14.12-2_on_cbl_mariner_2.0	—	—
msrc	cbl_mariner_2.0_arm	—	—
msrc	cbl_mariner_2.0_x64	—	—
redhat	ansible	< 2.14.12	2.14.12
redhat	ansible	—	—
redhat	ansible	>= 0 < 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1	2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
redhat	ansible	>= 0 < 5.4.0-1	5.4.0-1
redhat	ansible	>= 0 < 5.4.0-1	5.4.0-1
redhat	ansible	>= 0 < 5.4.0-1	5.4.0-1
redhat	ansible	>= 0 < 2.0.0.2-2ubuntu1.3+esm2	2.0.0.2-2ubuntu1.3+esm2
redhat	ansible	>= 0 < 2.0.0.2-2ubuntu1.3+esm3	2.0.0.2-2ubuntu1.3+esm3
redhat	ansible	>= 0 < 2.5.1+dfsg-1ubuntu0.1+esm2	2.5.1+dfsg-1ubuntu0.1+esm2
redhat	ansible	>= 0 < 2.5.1+dfsg-1ubuntu0.1+esm3	2.5.1+dfsg-1ubuntu0.1+esm3
redhat	ansible	>= 0 < 2.9.6+dfsg-1ubuntu0.1~esm2	2.9.6+dfsg-1ubuntu0.1~esm2
redhat	ansible	>= 0 < 2.10.7+merged+base+2.10.8+dfsg-1ubuntu0.1~esm4	2.10.7+merged+base+2.10.8+dfsg-1ubuntu0.1~esm4
redhat	ansible	>= 2.15.0 < 2.15.7	2.15.7

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

osv7.8HIGH