CVE-2024-11079 — Improper Input Validation in Redhat Ansible

CWE-20 — Improper Input Validation7 documents6 sources

Severity

5.5MEDIUMNVD

EPSS

0.1%

top 80.22%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Ansible

Timeline

PublishedNov 12

Description

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:LExploitability: 1.3 | Impact: 3.7

Affected Packages1 packages

▶Debianredhat/ansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u4+3

🔴Vulnerability Details

GHSA

Ansible-Core vulnerable to content protections bypass↗2024-11-12

▶

OSV

CVE-2024-11079: A flaw was found in Ansible-Core↗2024-11-12

▶

OSV

Ansible-Core vulnerable to content protections bypass↗2024-11-12

▶

CVEList

Ansible-core: unsafe tagging bypass via hostvars object in ansible-core↗2024-11-11

▶

📋Vendor Advisories

Red Hat

ansible-core: Unsafe Tagging Bypass via hostvars Object in Ansible-Core↗2024-11-11

▶

Debian

CVE-2024-11079: ansible - A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass ...↗2024

▶