CVE-2023-5115
18.12.2023, 14:15
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
| Vendor | Product | Version |
|---|---|---|
| redhat | ansible_automation_platform | 1.2 |
| redhat | ansible_automation_platform | 2.3 |
| redhat | ansible_automation_platform | 2.4 |
| redhat | ansible_inside | 1.1 |
| redhat | ansible_inside | 1.2 |
| redhat | ansible_developer | 1.0 |
| redhat | ansible_developer | 1.1 |
| debian | debian_linux | 10.0 |
𝑥
= Vulnerable software versions
Debian Releases
Debian Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ansible |
| ||||||||||
| ansible-core |
|
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ansible |
| ||||||||||||||||||
| ansible-core |
|
Common Weakness Enumeration
- CWE-36 - Absolute Path TraversalThe software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as "/abs/path" that can resolve to a location that is outside of that directory.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
References