Vulnerability Details : CVE-2023-5764
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.
Products affected by CVE-2023-5764
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:2.16.0:-:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:2.16.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:2.16.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:2.16.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_automation_platform:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_developer:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_inside:1.2:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
- cpe:2.3:a:fedoraproject:extra_packages_for_enterprise_linux:8.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-5764
0.22%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 43 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-5764
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
7.8
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
1.8
|
5.9
|
NIST | |
|
7.1
|
HIGH | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
1.8
|
5.2
|
Red Hat, Inc. | 2024-01-01 |
|
6.6
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
1.3
|
5.2
|
Red Hat, Inc. | |
|
6.6
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N |
N/A
|
N/A
|
RedHat-CVE-2023-5764 |
CWE ids for CVE-2023-5764
-
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.Assigned by: secalert@redhat.com (Secondary)
References for CVE-2023-5764
-
https://bugzilla.redhat.com/show_bug.cgi?id=2247629
2247629 – (CVE-2023-5764) CVE-2023-5764 ansible: Template InjectionIssue Tracking;Patch;Vendor Advisory
-
https://access.redhat.com/security/cve/CVE-2023-5764
CVE-2023-5764- Red Hat Customer PortalVendor Advisory
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU/
[SECURITY] Fedora 39 Update: ansible-9.1.0-1.fc39 - package-announce - Fedora Mailing-ListsThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7773
RHSA-2023:7773 - Security Advisory - Red Hat Customer PortalVendor Advisory
Jump to