Lucene search

[email protected]CVE-2023-5115

HistoryDec 18, 2023 - 2:15 p.m.

CVE-2023-5115

2023-12-1814:15:10

CWE-22

[email protected]

web.nvd.nist.gov

118

cve-2023-5115

ansible

automation platform

path traversal attack

symlink

file overwrite

security vulnerability

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N

6.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.6%

JSON

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

Affected configurations

NVD

Node

redhatansible_automation_platformMatch1.2

redhatansible_automation_platformMatch2.3

redhatansible_automation_platformMatch2.4

AND

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

Node

redhatansible_insideMatch1.1

redhatansible_insideMatch1.2

AND

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

Node

redhatansible_developerMatch1.0

redhatansible_developerMatch1.1

AND

redhatenterprise_linuxMatch8.0

redhatenterprise_linuxMatch9.0

Node

debiandebian_linuxMatch10.0

CPENameOperatorVersion
redhat:ansible_automation_platformredhat ansible automation platformeq1.2
redhat:ansible_automation_platformredhat ansible automation platformeq2.3
redhat:ansible_automation_platformredhat ansible automation platformeq2.4

CPE	Name	Operator	Version
redhat:ansible_automation_platform	redhat ansible automation platform	eq	1.2
redhat:ansible_automation_platform	redhat ansible automation platform	eq	2.3
redhat:ansible_automation_platform	redhat ansible automation platform	eq	2.4

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.3 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:2.14.11-1.el8ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform_developer:2.3::el9",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.3::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.3::el8",
      "cpe:/a:redhat:ansible_automation_platform:2.3::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.3::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.3::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.3 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:2.14.11-1.el9ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform_developer:2.3::el9",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.3::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.3::el8",
      "cpe:/a:redhat:ansible_automation_platform:2.3::el9",
      "cpe:/a:redhat:ansible_automation_platform:2.3::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.3::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:2.15.5-1.el8ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "versions": [
      {
        "version": "0:2.15.5-1.el9ap",
        "lessThan": "*",
        "versionType": "rpm",
        "status": "unaffected"
      }
    ],
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform:2.4::el8",
      "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9",
      "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 1.2",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform"
    ]
  }
]