CVE-2024-11079
MEDIUM5.5EPSS 0.02%Ansible-Core vulnerable to content protections bypass
發布日:2024/11/12修改日:2026/3/19
描述
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
受影響套件(4)
- Debian/ansiblefrom 0, < 2.10.7+merged+base+2.10.17+dfsg-0+deb11u4
- Debian/ansiblefrom 0, < 2.10.7+merged+base+2.10.17+dfsg-0+deb11u4
- Debian/ansible-corefrom 0, < 2.14.18-0+deb12u1
- PyPI/ansible-core>= 2.18.0b1, < 2.18.1rc1
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:P |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L |
參考連結(14)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2024-11079
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2024-11079
- PATCHhttps://github.com/ansible/ansible
- WEBhttps://access.redhat.com/errata/RHSA-2024:10770
- WEBhttps://access.redhat.com/errata/RHSA-2024:11145
- WEBhttps://access.redhat.com/security/cve/CVE-2024-11079
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=2325171
- WEBhttps://github.com/ansible/ansible/blob/v2.18.1/changelogs/CHANGELOG-v2.18.rst#security-fixes
- WEBhttps://github.com/ansible/ansible/commit/2936b80dbbc7efb889934aeec80f6142c10266ce
- WEBhttps://github.com/ansible/ansible/commit/70e83e72b43e05e57eb42a6d52d01a4d9768f510
- WEBhttps://github.com/ansible/ansible/commit/98774d15d7748ebaaaf2e83942cc7e8d39f7280e
- WEBhttps://github.com/ansible/ansible/pull/84299
- WEBhttps://github.com/ansible/ansible/pull/84339
- WEBhttps://lists.debian.org/debian-lts-announce/2026/03/msg00006.html