Bug 2325171 (CVE-2024-11079)
| Summary: | CVE-2024-11079 ansible-core: Unsafe Tagging Bypass via hostvars Object in Ansible-Core | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adudiak, bagasse, bbrownin, brking, davidn, haoli, hkataria, jajackso, jcammara, jeder, jmitchel, jneedle, jsamir, jtanner, jwong, kegrant, koliveir, kshier, ljawale, luizcosta, mabashia, mdogra, nweather, omaciel, pbraun, prodsec-dev, rbobbitt, shvarugh, simaishi, smcdonal, stcannon, sthirugn, teagle, tfister, thavo, vkrizan, yguenane, zkayyali |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | Flags: | mdogra:
needinfo?
(prodsec-dev) |
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2325174, 2325173 | ||
| Bug Blocks: | |||
The vulnerability has a low impact on confidentiality, as data exposure depends on the play's logic. It poses a moderate risk to integrity and availability due to potential tampering with execution flows and the termination of critical processes through injected commands. Exploitation is of high complexity, requiring specific knowledge of the playbook and access to modify remote data or perform MITM attacks. However, the scope of impact extends to remote systems, potentially altering their behavior. This issue has been addressed in the following products: Ansible Automation Platform Execution Environments Via RHSA-2024:10770 https://access.redhat.com/errata/RHSA-2024:10770 This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2024:11145 https://access.redhat.com/errata/RHSA-2024:11145 |
Unsafe tagging can be bypassed by using the `hostvars` object to indirectly reference the content and successfully template it Requirements to exploit (if any): Access to mangle the content returned to a play (via lookup or module) that uses hostvars to reference the unsafe content. Steps to reproduce : - have unsafe content from lookup or module, or defined: untrusted: !unsafe this{{varshould}}notbetemplated - reference it via the hostvars object debug: msg={{ hostvars['hostname']['untrusted']