A template injection flaw was found in Ansible where a user’s controller
internal templating operations may remove the unsafe designation from
template data. This issue could allow an attacker to use a specially
crafted file to introduce templating injection when supplying templating
data.
Author | Note |
---|---|
sbeattie | core ansible binaries were split into ansible-base, which got renamed to ansible-core core ansible binaries were split into ansible-base, which got renamed to ansible-core |
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
ubuntu | 18.04 | noarch | ansible | < any | UNKNOWN |
ubuntu | 20.04 | noarch | ansible | < any | UNKNOWN |
ubuntu | 22.04 | noarch | ansible | < any | UNKNOWN |
ubuntu | 14.04 | noarch | ansible | < any | UNKNOWN |
ubuntu | 16.04 | noarch | ansible | < any | UNKNOWN |
ubuntu | 22.04 | noarch | ansible-core | < any | UNKNOWN |
ubuntu | 23.10 | noarch | ansible-core | < any | UNKNOWN |
ubuntu | 24.04 | noarch | ansible-core | < any | UNKNOWN |
bugzilla.redhat.com/show_bug.cgi?id=2247629
github.com/ansible/ansible/pull/82293 (stable-2.16)
github.com/ansible/ansible/pull/82294 (stable-2.15)
github.com/ansible/ansible/pull/82295 (stable-2.14)
launchpad.net/bugs/cve/CVE-2023-5764
nvd.nist.gov/vuln/detail/CVE-2023-5764
security-tracker.debian.org/tracker/CVE-2023-5764
www.cve.org/CVERecord?id=CVE-2023-5764