CVE Vulnerabilities

CVE-2023-5115

Absolute Path Traversal

Published: Dec 18, 2023 | Modified: Dec 06, 2024
CVSS 3.x
6.3
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
CVSS 2.x
RedHat/V2
RedHat/V3
6.3 MODERATE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:N
Ubuntu
MEDIUM

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

Weakness

The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize absolute path sequences such as “/abs/path” that can resolve to a location that is outside of that directory.

Affected Software

Name Vendor Start Version End Version
Ansible_automation_platform Redhat 1.2 (including) 1.2 (including)
Ansible_automation_platform Redhat 2.3 (including) 2.3 (including)
Ansible_automation_platform Redhat 2.4 (including) 2.4 (including)
Red Hat Ansible Automation Platform 2.3 for RHEL 8 RedHat ansible-core-0:2.14.11-1.el8ap *
Red Hat Ansible Automation Platform 2.3 for RHEL 9 RedHat ansible-core-0:2.14.11-1.el9ap *
Red Hat Ansible Automation Platform 2.4 for RHEL 8 RedHat ansible-core-0:2.15.5-1.el8ap *
Red Hat Ansible Automation Platform 2.4 for RHEL 9 RedHat ansible-core-0:2.15.5-1.el9ap *
Ansible Ubuntu bionic *
Ansible Ubuntu lunar *
Ansible Ubuntu mantic *
Ansible Ubuntu trusty *
Ansible Ubuntu trusty/esm *
Ansible Ubuntu xenial *
Ansible-core Ubuntu lunar *
Ansible-core Ubuntu mantic *

References