CVE-2023-5764

HIGH

Ansible < 2.14.12 and 2.16.0-2.16.1 - Template Injection via Unsafe Data Handling

Title source: llm

Description

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.

References (5)

Core 5

Core References

Vendor Advisory

https://security.netapp.com/advisory/ntap-20241025-0001/

Mailing List, Third Party Advisory

https://lists.fedoraproject.org/archives/list/[email protected]/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU/

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7773

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2023-5764

Issue Tracking, Patch, Vendor Advisory issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2247629

Scores

CVSS v3 7.1

EPSS 0.0054

EPSS Percentile 40.9%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-1336

Status published

Products (9)

fedoraproject/extra_packages_for_enterprise_linux 8.0

fedoraproject/fedora 38

fedoraproject/fedora 39

pypi/ansible-core 2.16.0 - 2.16.1PyPI

redhat/ansible 2.16.0 (4 CPE variants)

redhat/ansible < 2.14.12

redhat/ansible_automation_platform 2.4

redhat/ansible_developer 1.1

redhat/ansible_inside 1.2

Published Dec 12, 2023

Tracked Since Feb 18, 2026