VDB
EN
HIGH 7.8

GHSA-w8p5-mx5w-cpqj

ansible-core: Argument injection in ansible-galaxy role install leads to arbitrary code execution

상세

A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field. This allows arbitrary code execution on the machine of a user who installs the role via ansible-galaxy role install.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / ansible-core
최초 영향 버전: 0 수정 버전: 2.16.19rc1
수정 pip install --upgrade 'ansible-core>=2.16.19rc1'
PyPI / ansible-core
최초 영향 버전: 2.17.0b1 수정 버전: 2.18.18rc1
수정 pip install --upgrade 'ansible-core>=2.18.18rc1'
PyPI / ansible-core
최초 영향 버전: 2.19.0b1 수정 버전: 2.19.11rc1
수정 pip install --upgrade 'ansible-core>=2.19.11rc1'
PyPI / ansible-core
최초 영향 버전: 2.20.0b1 수정 버전: 2.20.7rc1
수정 pip install --upgrade 'ansible-core>=2.20.7rc1'
PyPI / ansible-core
최초 영향 버전: 2.21.0b1 수정 버전: 2.21.1rc1
수정 pip install --upgrade 'ansible-core>=2.21.1rc1'

참고