A flaw was found in Ansible, where a user's controller is vulnerable to template injection when internal templating operations may errantly remove the unsafe designation from template data.
Created ansible tracking bugs for this issue: Affects: epel-all [bug 2247631] Affects: fedora-all [bug 2247630]
Is this an issue which has an upstream fix in the Ansible project? Are there details on the issue to determine downstream affected versions?
yes,look here https://github.com/ansible/ansible/pull/82293 https://github.com/ansible/ansible/pull/82294 https://github.com/ansible/ansible/pull/82295
(In reply to Vipul Nair from comment #4) > yes,look here > https://github.com/ansible/ansible/pull/82293 > https://github.com/ansible/ansible/pull/82294 > https://github.com/ansible/ansible/pull/82295 Thanks (I think they were not there yet when I asked, so thanks for the followup).
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.4 for RHEL 8 Red Hat Ansible Automation Platform 2.4 for RHEL 9 Via RHSA-2023:7773 https://access.redhat.com/errata/RHSA-2023:7773