CVE-2023-5115

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

Published: Dec 18, 2023
Updated: May 9, 2024
CVE: CVE-2023-5115
GHSA: GHSA-jpvw-p8pr-9g2x
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 6.3
AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

CWEs:

CWE-22
CWE-36

OWASP TOP 10:

A5 - Broken Access Control

Affected Software
References

Software	From	Fixed in
redhat / ansible_automation_platform	1.2	1.2.x
redhat / ansible_automation_platform	2.3	2.3.x
redhat / ansible_automation_platform	2.4	2.4.x
redhat / ansible_inside	1.1	1.1.x
redhat / ansible_inside	1.2	1.2.x
redhat / ansible_developer	1.0	1.0.x
redhat / ansible_developer	1.1	1.1.x
debian / debian_linux	10.0	10.0.x
ansible	-	8.5.0

https://access.redhat.com/errata/RHSA-2023:5701
https://access.redhat.com/errata/RHSA-2023:5758
https://access.redhat.com/security/cve/CVE-2023-5115
https://bugzilla.redhat.com/show_bug.cgi?id=2233810
https://github.com/ansible-community/ansible-build-data/blob/16d36538b96c65d9e0e28d89781361b69857ac0e/8/CHANGELOG-v8.rst#L221
https://github.com/ansible/ansible/commit/1e930684bc0a76ec3d094cd326738ad26416541c
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Vulnerability Database

289,598

CVE-2023-5115