Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS03ajY5LXFmYzMtMmZxOc4AA3tj

Ansible template injection vulnerability

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data.

Permalink: https://github.com/advisories/GHSA-7j69-qfc3-2fq9
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS03ajY5LXFmYzMtMmZxOc4AA3tj
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 14 days ago

CVSS Score: 6.6
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

Identifiers: GHSA-7j69-qfc3-2fq9, CVE-2023-5764
References:

Repository: https://github.com/ansible/ansible
Blast Radius: 22.0

Affected Packages

pypi:ansible-core

Dependent packages: 40
Dependent repositories: 2,140
Downloads: 4,533,750 last month
Affected Version Ranges: < 2.14.12, >= 2.15.0, < 2.15.8, >= 2.16.0, < 2.16.1
Fixed in: 2.14.12, 2.15.8, 2.16.1
All affected versions: 2.11.0, 2.11.1, 2.11.2, 2.11.3, 2.11.4, 2.11.5, 2.11.6, 2.11.7, 2.11.8, 2.11.9, 2.11.10, 2.11.11, 2.11.12, 2.12.0, 2.12.1, 2.12.2, 2.12.3, 2.12.4, 2.12.5, 2.12.6, 2.12.7, 2.12.8, 2.12.9, 2.12.10, 2.13.0, 2.13.1, 2.13.2, 2.13.3, 2.13.4, 2.13.5, 2.13.6, 2.13.7, 2.13.8, 2.13.9, 2.13.10, 2.13.11, 2.13.12, 2.13.13, 2.14.0, 2.14.1, 2.14.2, 2.14.3, 2.14.4, 2.14.5, 2.14.6, 2.14.7, 2.14.8, 2.14.9, 2.14.10, 2.14.11, 2.15.0, 2.15.1, 2.15.2, 2.15.3, 2.15.4, 2.15.5, 2.15.6, 2.15.7, 2.16.0
All unaffected versions: 2.14.12, 2.14.13, 2.14.14, 2.14.15, 2.14.16, 2.15.8, 2.15.9, 2.15.10, 2.15.11, 2.16.1, 2.16.2, 2.16.3, 2.16.4, 2.16.5, 2.16.6