Unsafe tagging can be bypassed by using the `hostvars` object to indirectly reference the content and successfully template it Requirements to exploit (if any): Access to mangle the content returned to a play (via lookup or module) that uses hostvars to reference the unsafe content. Steps to reproduce : - have unsafe content from lookup or module, or defined: untrusted: !unsafe this{{varshould}}notbetemplated - reference it via the hostvars object debug: msg={{ hostvars['hostname']['untrusted']
The vulnerability has a low impact on confidentiality, as data exposure depends on the play's logic. It poses a moderate risk to integrity and availability due to potential tampering with execution flows and the termination of critical processes through injected commands. Exploitation is of high complexity, requiring specific knowledge of the playbook and access to modify remote data or perform MITM attacks. However, the scope of impact extends to remote systems, potentially altering their behavior.
This issue has been addressed in the following products: Ansible Automation Platform Execution Environments Via RHSA-2024:10770 https://access.redhat.com/errata/RHSA-2024:10770
This issue has been addressed in the following products: Red Hat Ansible Automation Platform 2.5 for RHEL 8 Red Hat Ansible Automation Platform 2.5 for RHEL 9 Via RHSA-2024:11145 https://access.redhat.com/errata/RHSA-2024:11145