ansible-core is vulnerable to Path Traversal. The vulnerability exists due to the lack of sanitization in the linkname
of role.py
, which allows an attacker to overwrite files outside of the installation directory.
access.redhat.com/errata/RHSA-2023:5701
access.redhat.com/errata/RHSA-2023:5758
access.redhat.com/security/cve/CVE-2023-5115
bugzilla.redhat.com/show_bug.cgi?id=2233810
bugzilla.suse.com/show_bug.cgi?id=1215606
github.com/ansible/ansible/commit/1e930684bc0a76ec3d094cd326738ad26416541c
github.com/ansible/ansible/commit/6809f986fc9c75c9e574657a74cef4eb911d9d34
github.com/ansible/ansible/commit/820dae4aff6ac8773bca9f379fe17a889ec13a3b
github.com/ansible/ansible/commit/fffb3c403fe6def8d07e1062c751199ca3b98b7a
lists.debian.org/debian-lts-announce/2023/12/msg00018.html