Untriaged
Permalink
CVE-2023-5115
6.3 MEDIUM
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): LOW
- User interaction (UI): REQUIRED
- Scope (S): UNCHANGED
- Confidentiality impact (C): LOW
- Integrity impact (I): HIGH
- Availability impact (A): NONE
Malicious role archive can cause ansible-galaxy to overwrite arbitrary files
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
References
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry
- RHBZ#2233810 issue-tracking x_refsource_REDHAT
- https://access.redhat.com/security/cve/CVE-2023-5115 x_refsource_REDHAT vdb-entry x_transferred
- RHBZ#2233810 issue-tracking x_refsource_REDHAT x_transferred
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html x_transferred
- RHSA-2023:5701 x_refsource_REDHAT vendor-advisory x_transferred
- RHSA-2023:5758 x_refsource_REDHAT vendor-advisory x_transferred
Affected products
ansible
- ==2.14.11
ansible-core
- *
Matching in nixpkgs
pkgs.ansible-cmdb
Generate host overview from ansible fact gathering output
-
nixos-unstable -
- nixpkgs-unstable 1.31
pkgs.ansible-lint
Best practices checker for Ansible
-
nixos-unstable -
- nixpkgs-unstable 25.8.2
pkgs.ansible_2_16
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 2.16.14
pkgs.ansible_2_17
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 2.17.8
pkgs.ansible_2_18
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 2.18.8
pkgs.ansible_2_19
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 2.19.2
pkgs.ansible-doctor
Annotation based documentation for your Ansible roles
-
nixos-unstable -
- nixpkgs-unstable 7.2.0
pkgs.ansible-builder
Ansible execution environment builder
-
nixos-unstable -
- nixpkgs-unstable 3.1.0
pkgs.ansible-navigator
Text-based user interface (TUI) for Ansible
-
nixos-unstable -
- nixpkgs-unstable 25.8.0
pkgs.ansible-language-server
Ansible Language Server
-
nixos-unstable -
- nixpkgs-unstable 1.2.1
pkgs.python312Packages.ansible
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 11.9.0
pkgs.python313Packages.ansible
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 11.9.0
pkgs.terraform-providers.ansible
None
-
nixos-unstable -
- nixpkgs-unstable 1.0.4
pkgs.python312Packages.ansible-core
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 2.19.2
pkgs.python313Packages.ansible-core
Radically simple IT automation
-
nixos-unstable -
- nixpkgs-unstable 2.19.2
pkgs.python312Packages.ansible-compat
Function collection that help interacting with various versions of Ansible
-
nixos-unstable -
- nixpkgs-unstable 25.8.1
pkgs.python312Packages.ansible-kernel
Ansible kernel for Jupyter
-
nixos-unstable -
- nixpkgs-unstable 1.0.0
pkgs.python312Packages.ansible-runner
Helps when interfacing with Ansible
-
nixos-unstable -
- nixpkgs-unstable 2.4.1
pkgs.python312Packages.pytest-ansible
Plugin for pytest to simplify calling ansible modules from tests or fixtures
-
nixos-unstable -
- nixpkgs-unstable 25.8.0
pkgs.python313Packages.ansible-compat
Function collection that help interacting with various versions of Ansible
-
nixos-unstable -
- nixpkgs-unstable 25.8.1
pkgs.python313Packages.ansible-kernel
Ansible kernel for Jupyter
-
nixos-unstable -
- nixpkgs-unstable 1.0.0
pkgs.python313Packages.ansible-runner
Helps when interfacing with Ansible
-
nixos-unstable -
- nixpkgs-unstable 2.4.1
pkgs.python313Packages.pytest-ansible
Plugin for pytest to simplify calling ansible modules from tests or fixtures
-
nixos-unstable -
- nixpkgs-unstable 25.8.0
pkgs.vscode-extensions.redhat.ansible
Ansible language support
-
nixos-unstable -
- nixpkgs-unstable 25.8.1
pkgs.python312Packages.ansible-builder
Ansible execution environment builder
-
nixos-unstable -
- nixpkgs-unstable 3.1.0
pkgs.python313Packages.ansible-builder
Ansible execution environment builder
-
nixos-unstable -
- nixpkgs-unstable 3.1.0
pkgs.python312Packages.ansible-pylibssh
Python bindings to client functionality of libssh specific to Ansible use case
-
nixos-unstable -
- nixpkgs-unstable 1.2.2
pkgs.python312Packages.ansible-vault-rw
This project aim to R/W an ansible-vault yaml file
-
nixos-unstable -
- nixpkgs-unstable 2.1.0
pkgs.python313Packages.ansible-pylibssh
Python bindings to client functionality of libssh specific to Ansible use case
-
nixos-unstable -
- nixpkgs-unstable 1.2.2
pkgs.python313Packages.ansible-vault-rw
This project aim to R/W an ansible-vault yaml file
-
nixos-unstable -
- nixpkgs-unstable 2.1.0
pkgs.python312Packages.jinja2-ansible-filters
Jinja2 Ansible Filters
-
nixos-unstable -
- nixpkgs-unstable jinja2-ansible-filters-1.3.2
pkgs.python313Packages.jinja2-ansible-filters
Jinja2 Ansible Filters
-
nixos-unstable -
- nixpkgs-unstable jinja2-ansible-filters-1.3.2
Package maintainers
-
@robsliwi Robert Sliwinski <r@sliwi.org>
-
@HarisDotParis Haris <git@haris.paris>
-
@Melkor333 Samuel Ruprecht <samuel@ton-kunst.ch>
-
@tie Ivan Trubach <mr.trubach@icloud.com>
-
@tboerger Thomas Boerger <thomas@webhippie.de>
-
@mweinelt Martin Weinelt <hexa@darmstadt.ccc.de>
-
@sengaya Thilo Uttendorfer <tlo@sengaya.de>
-
@dawidd6 Dawid Dziurla <dawidd0811@gmail.com>
-
@geluk Johan Geluk <johan+nix@geluk.io>
-
@GaetanLepage Gaetan Lepage <gaetan@glepage.com>
-
@StillerHarpo Florian Engel <engelflorian@posteo.de>
-
@tjni Theodore Ni <43ngvg@masqt.com>
-
@TheMaxMur Maxim Muravev <muravjev.mak@yandex.ru>