What is the severity of CVE-2023-5115?

CVE-2023-5115 has a high severity rating due to its potential to enable an absolute path traversal attack.

How do I fix CVE-2023-5115?

To fix CVE-2023-5115, upgrade to Ansible version 8.5.0 or later, or for Red Hat, upgrade to version 2.14.11.

What versions of Ansible are affected by CVE-2023-5115?

CVE-2023-5115 affects all Ansible versions prior to 8.5.0 and 2.14.11 for Red Hat users.

Can CVE-2023-5115 affect my Red Hat Enterprise Linux setup?

Yes, CVE-2023-5115 can affect Red Hat Enterprise Linux when using vulnerable versions of the Ansible automation platform.

What is an absolute path traversal attack in the context of CVE-2023-5115?

An absolute path traversal attack allows an attacker to overwrite files outside the intended extraction path by exploiting symlinks in the Ansible roles.

Vulnerability/
CVE-2023-5115

medium

6.3

CWE

36 22

23/8/2023

18/12/2023

28/12/2023

6/12/2024

CVE-2023-5115: Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files

First published: Wed Aug 23 2023(Updated: )

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.

Credit: secalert@redhat.com

Affected Software	Affected Version	How to fix
pip/ansible	<8.5.0	8.5.0
redhat/ansible	<2.14.11	2.14.11
All of
Any of
redhat ANSIBLE automation platform	=1.2
redhat ANSIBLE automation platform	=2.3
redhat ANSIBLE automation platform	=2.4
Any of
Red Hat Enterprise Linux	=8.0
Red Hat Enterprise Linux	=9.0
All of
Any of
Red Hat Ansible Inside	=1.1
Red Hat Ansible Inside	=1.2
Any of
Red Hat Enterprise Linux	=8.0
Red Hat Enterprise Linux	=9.0
All of
Any of
Red Hat Ansible Developer	=1.0
Red Hat Ansible Developer	=1.1
Any of
Red Hat Enterprise Linux	=8.0
Red Hat Enterprise Linux	=9.0
Debian GNU/Linux	=10.0

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2023-5115?
CVE-2023-5115 has a high severity rating due to its potential to enable an absolute path traversal attack.
How do I fix CVE-2023-5115?
To fix CVE-2023-5115, upgrade to Ansible version 8.5.0 or later, or for Red Hat, upgrade to version 2.14.11.
What versions of Ansible are affected by CVE-2023-5115?
CVE-2023-5115 affects all Ansible versions prior to 8.5.0 and 2.14.11 for Red Hat users.
Can CVE-2023-5115 affect my Red Hat Enterprise Linux setup?
Yes, CVE-2023-5115 can affect Red Hat Enterprise Linux when using vulnerable versions of the Ansible automation platform.
What is an absolute path traversal attack in the context of CVE-2023-5115?
An absolute path traversal attack allows an attacker to overwrite files outside the intended extraction path by exploiting symlinks in the Ansible roles.

agent/type
agent/first-publish-date
agent/references
agent/severity
agent/description
agent/title
collector/mitre-cve
source/MITRE
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-jpvw-p8pr-9g2x
alias/CVE-2023-5115
agent/software-canonical-lookup
agent/last-modified-date
collector/redhat-bugzilla
source/Red Hat
collector/github-advisory
agent/weakness
agent/trending
agent/source
agent/author
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
agent/softwarecombine
agent/tags
package-manager/pip
package-manager/redhat
vendor/redhat
canonical/redhat ansible automation platform
version/redhat ansible automation platform/1.2
version/redhat ansible automation platform/2.3
version/redhat ansible automation platform/2.4
canonical/red hat enterprise linux
version/red hat enterprise linux/8.0
version/red hat enterprise linux/9.0
canonical/red hat ansible inside
version/red hat ansible inside/1.1
version/red hat ansible inside/1.2
canonical/red hat ansible developer
version/red hat ansible developer/1.0
version/red hat ansible developer/1.1
vendor/debian
canonical/debian gnu/linux
version/debian gnu/linux/10.0