VDB
KO
HIGH 7.8

GHSA-w8p5-mx5w-cpqj

ansible-core: Argument injection in ansible-galaxy role install leads to arbitrary code execution

Details

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / ansible-core
Introduced in: 0 Fixed in: 2.16.19rc1
Fix pip install --upgrade 'ansible-core>=2.16.19rc1'
PyPI / ansible-core
Introduced in: 2.17.0b1 Fixed in: 2.18.18rc1
Fix pip install --upgrade 'ansible-core>=2.18.18rc1'
PyPI / ansible-core
Introduced in: 2.19.0b1 Fixed in: 2.19.11rc1
Fix pip install --upgrade 'ansible-core>=2.19.11rc1'
PyPI / ansible-core
Introduced in: 2.20.0b1 Fixed in: 2.20.7rc1
Fix pip install --upgrade 'ansible-core>=2.20.7rc1'
PyPI / ansible-core
Introduced in: 2.21.0b1 Fixed in: 2.21.1rc1
Fix pip install --upgrade 'ansible-core>=2.21.1rc1'

References