CVE-2023-5764 - OpenCVE

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Fedoraproject	Extra Packages For Enterprise Linux Fedora
Redhat	Ansible Ansible Automation Platform Ansible Automation Platform Developer Ansible Automation Platform Inside Ansible Developer Ansible Inside Enterprise Linux

Configuration 1 [-]

OR	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible:2.16.0:-::::::
	cpe:2.3:a:redhat:ansible:2.16.0:beta1::::::
	cpe:2.3:a:redhat:ansible:2.16.0:beta2::::::
	cpe:2.3:a:redhat:ansible:2.16.0:rc1::::::

Configuration 2 [-]

OR	cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*
	cpe:2.3:o:fedoraproject:fedora:39:::::::*

Configuration 3 [-]

AND

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

OR	cpe:2.3:a:redhat:ansible_automation_platform:2.4:::::::*
	cpe:2.3:a:redhat:ansible_developer:1.1:::::::*
	cpe:2.3:a:redhat:ansible_inside:1.2:::::::*

Package	CPE	Advisory	Released Date
Red Hat Ansible Automation Platform 2.4 for RHEL 8
ansible-core-1:2.15.8-1.el8ap	cpe:/a:redhat:ansible_automation_platform:2.4::el8	RHSA-2023:7773	2023-12-13T00:00:00Z
ansible-core-1:2.15.8-1.el8ap	cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8	RHSA-2023:7773	2023-12-13T00:00:00Z
Red Hat Ansible Automation Platform 2.4 for RHEL 9
ansible-core-1:2.15.8-1.el9ap	cpe:/a:redhat:ansible_automation_platform:2.4::el9	RHSA-2023:7773	2023-12-13T00:00:00Z
ansible-core-1:2.15.8-1.el9ap	cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9	RHSA-2023:7773	2023-12-13T00:00:00Z

References

Link	Providers
https://access.redhat.com/errata/RHSA-2023:7773
https://access.redhat.com/security/cve/CVE-2023-5764
https://bugzilla.redhat.com/show_bug.cgi?id=2247629
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU/
https://nvd.nist.gov/vuln/detail/CVE-2023-5764
https://www.cve.org/CVERecord?id=CVE-2023-5764

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-12-12T22:01:33.467Z

Updated: 2024-09-16T16:14:17.182Z

Reserved: 2023-10-25T10:27:46.601Z

Link: CVE-2023-5764

Vulnrichment

Updated: 2024-08-02T08:07:32.777Z

NVD

Status : Modified

Published: 2023-12-12T22:15:22.747

Modified: 2024-09-16T17:16:01.667

Link: CVE-2023-5764

Redhat

Severity : Moderate

Publid Date: 2023-11-02T12:57:00Z

Links: CVE-2023-5764 - Bugzilla

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object