CVE-2024-11079

MEDIUM

ansible-core >=2.18.0b1 <2.18.1rc1 - Arbitrary Code Execution via Hostvars Object

Title source: llm

Description

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

References (5)

Core 5

Core References

Mailing List

https://lists.debian.org/debian-lts-announce/2026/03/msg00006.html

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:10770

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:11145

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2024-11079

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2325171

Scores

CVSS v3 5.5

EPSS 0.0002

EPSS Percentile 7.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-20

Status published

Products (10)

pypi/ansible-core 2.18.0b1 - 2.18.1rc1PyPI

Red Hat/Ansible Automation Platform Execution Environments 2.16.14-2

Red Hat/Ansible Automation Platform Execution Environments 2.17.7-1

Red Hat/Ansible Automation Platform Execution Environments 2.9.27-34

Red Hat/Ansible Automation Platform Execution Environments 3.0.1-107

Red Hat/Ansible Automation Platform Execution Environments 3.0.1-108

Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 8 1:2.16.14-1.el8ap

Red Hat/Red Hat Ansible Automation Platform 2.5 for RHEL 9 1:2.16.14-1.el9ap

Red Hat/Red Hat Enterprise Linux 10

Red Hat/Red Hat Enterprise Linux AI (RHEL AI)

Published Nov 12, 2024

Tracked Since Feb 18, 2026