Nixpkgs Security Tracker

Login with GitHub

Suggestion detail

Untriaged

Permalink CVE-2024-11079

5.5 MEDIUM

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): HIGH
Privileges required (PR): LOW
User interaction (UI): REQUIRED
Scope (S): CHANGED
Confidentiality impact (C): LOW
Integrity impact (I): LOW
Availability impact (A): LOW

created 6 months, 1 week ago

Ansible-core: unsafe tagging bypass via hostvars object in ansible-core

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

References

https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHBZ#2325171 issue-tracking x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT
RHSA-2024:10770 x_refsource_REDHAT vendor-advisory
RHSA-2024:11145 x_refsource_REDHAT vendor-advisory
https://access.redhat.com/security/cve/CVE-2024-11079 x_refsource_REDHAT vdb-entry
RHBZ#2325171 issue-tracking x_refsource_REDHAT

Affected products

ansible-core

*
=<2.18.0

rhelai1/bootc-nvidia-rhel9

rhelai1/bootc-azure-nvidia-rhel9

ansible-automation-platform/ee-29-rhel8

*

ansible-automation-platform/ee-minimal-rhel8

*

ansible-automation-platform/ee-minimal-rhel9

*

ansible-automation-platform/ansible-builder-rhel8

*

ansible-automation-platform/ansible-builder-rhel9

*

Matching in nixpkgs

pkgs.ansible_2_16

Radically simple IT automation

nixos-unstable -
- nixpkgs-unstable 2.16.14

pkgs.ansible_2_17

Radically simple IT automation

nixos-unstable -
- nixpkgs-unstable 2.17.8

pkgs.ansible_2_18

Radically simple IT automation

nixos-unstable -
- nixpkgs-unstable 2.18.8

pkgs.ansible_2_19

Radically simple IT automation

nixos-unstable -
- nixpkgs-unstable 2.19.2

pkgs.python312Packages.ansible-core

Radically simple IT automation

nixos-unstable -
- nixpkgs-unstable 2.19.2

pkgs.python313Packages.ansible-core

Radically simple IT automation

nixos-unstable -
- nixpkgs-unstable 2.19.2

Package maintainers

@robsliwi Robert Sliwinski <r@sliwi.org>
@HarisDotParis Haris <git@haris.paris>