Fluid Attacks Database

Description

Ansible-Core vulnerable to content protections bypass A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ansible	=2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u2 \|\| =2.10.7+merged+base+2.10.17+dfsg-0+deb11u3 \|\| =2.10.7+merged+base+2.10.8+dfsg-1 \|\| >=0 <2.10.7+merged+base+2.10.17+dfsg-0+deb11u4	2.10.7+merged+base+2.10.17+dfsg-0+deb11u4
debian 12	ansible-core	=2.14.10-1 \|\| =2.14.11-1 \|\| =2.14.11-2 \|\| =2.14.13-1 \|\| =2.14.16-0+deb12u1 \|\| =2.14.3-1 \|\| =2.14.6-1 \|\| =2.14.7-1 \|\| =2.14.8-1 \|\| =2.14.9-1 \|\| =2.14.9-2 \|\| >=0 <2.14.18-0+deb12u1	2.14.18-0+deb12u1
debian 14	ansible-core	>=0 <2.18.0-2	2.18.0-2
debian 12	ansible	>=0 <5.4.0-1	5.4.0-1
debian 13	ansible	>=0 <5.4.0-1	5.4.0-1
debian 14	ansible	>=0 <5.4.0-1	5.4.0-1
debian 13	ansible-core	>=0 <2.18.0-2	2.18.0-2
pypi	ansible-core	>=2.18.0b1 <2.18.1rc1 \|\| >=2.17.0b1 <2.17.7rc1 \|\| >=0 <2.16.14rc1	2.18.1rc1, 2.17.7rc1, 2.16.14rc1

Aliases

1. CVE-2024-110792. NVD-2024-110793. OSV-DEBIAN-2024-110794. OSV-2024-110795. GCVE-2024-110796. SECURITY-TRACKER-CVE-2024-110797. access.redhat.com8. access.redhat.com9. ACCESS-CVE-2024-1107910. lists.debian.org

References

1. https://github.com/ansible/ansible/pull/842992. https://github.com/ansible/ansible/pull/843393. https://github.com/ansible/ansible/commit/2936b80dbbc7efb889934aeec80f6142c10266ce4. https://github.com/ansible/ansible/commit/70e83e72b43e05e57eb42a6d52d01a4d9768f5105. https://github.com/ansible/ansible/commit/98774d15d7748ebaaaf2e83942cc7e8d39f7280e6. https://bugzilla.redhat.com/show_bug.cgi?id=23251717. https://github.com/ansible/ansible/blob/v2.18.1/changelogs/CHANGELOG-v2.18.rst#security-fixes

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.