Lucene search

K
veracodeVeracode Vulnerability DatabaseVERACODE:43084
HistorySep 02, 2023 - 8:25 a.m.

Arbitrary Code Injection

2023-09-0208:25:06
Veracode Vulnerability Database
sca.analysiscenter.veracode.com
7
vulnerability
ansible semaphore
code injection
remote attacker
extra variables

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.6%

github.com/ansible-semaphore/semaphore is vulnerable to Arbitrary Code Injection. The vulnerability exists in makeCmd function at AnsiblePlaybook.go which allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

Affected configurations

Vulners
Node
ansible-semaphoreansible_semaphoreRangev2.8.101ansible
VendorProductVersionCPE
ansible-semaphoreansible_semaphore*cpe:2.3:a:ansible-semaphore:ansible_semaphore:*:*:*:*:*:ansible:*:*

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.003

Percentile

71.6%