Bug 1216854 (CVE-2023-5764) - VUL-0: CVE-2023-5764: ansible,ansible1: Template Injection
Summary: VUL-0: CVE-2023-5764: ansible,ansible1: Template Injection
Status: RESOLVED FIXED
Alias: CVE-2023-5764
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/383921/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-5764:6.6:(AV:L...
Keywords:
Depends on:
Blocks:
 
Reported: 2023-11-03 09:03 UTC by SMASH SMASH
Modified: 2024-05-28 11:48 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
opensuse_buildservice: needinfo? (gabriele.sonnu)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description SMASH SMASH 2023-11-03 09:03:38 UTC 
A flaw was found in Ansible, where a user's controller is vulnerable to template injection when internal templating operations may errantly remove the unsafe designation from template data.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-5764
Comment 2 Gabriele Sonnu 2023-12-19 15:03:15 UTC 
Upstream patches:

https://github.com/ansible/ansible/pull/82293 (2.16)
https://github.com/ansible/ansible/pull/82294 (2.15)
https://github.com/ansible/ansible/pull/82295 (2.14)

Tracking as affected:

 - SUSE:SLE-12-SP3:Update:Products:Cloud8:Update/ansible
 - SUSE:SLE-15:Update/ansible
 - SUSE:SLE-15:Update:Products:ManagerToolsBeta:Update/ansible
 - openSUSE:Backports:SLE-15-SP4/ansible
 - openSUSE:Backports:SLE-15-SP5/ansible
Comment 5 Christian Almeida de Oliveira 2024-01-17 14:23:42 UTC 
Stoyan,
SOC products (SOC 8 and SOC 9) are under LTSS, it means that we are considering CVE's with a score higher than 7.5 only, which is not the case here.
Assigning it back to the Security team.
Comment 6 Johannes Kastl 2024-03-25 08:51:52 UTC 
Hi everyone,

is there something to do here? ansible-core in Tumbleweed is on 2.16.4 already, not sure if older versions are still available somewhere?

2.9.27 was the latest version for quite some time, but is end of life already also for a long time...

Kind Regards,
Johannes
Comment 9 Maintenance Automation 2024-04-24 12:30:07 UTC 
SUSE-SU-2024:1427-1: An update that solves eight vulnerabilities, contains one feature and has 11 security fixes can now be installed.

Category: security (moderate)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219887, 1219912, 1220371, 1221092
CVE References: CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-14365, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690
Jira References: MSQA-759
Maintenance Incident: [SUSE:Maintenance:33400](https://smelt.suse.de/incident/33400/)
Sources used:
SUSE Manager Client Tools Beta for SLE 15 (src):
 ansible-2.9.27-159000.3.12.2, spacecmd-5.0.5-159000.6.48.2, grafana-9.5.16-159000.4.30.2, supportutils-plugin-susemanager-client-5.0.3-159000.6.21.2, uyuni-tools-0.1.7-159000.3.8.1, POS_Image-Graphical7-0.1.1710765237.46af599-159000.3.24.2, dracut-saltboot-0.1.1710765237.46af599-159000.3.33.2, spacewalk-client-tools-5.0.4-159000.6.54.2, POS_Image-JeOS7-0.1.1710765237.46af599-159000.3.24.2
SUSE Manager Client Tools Beta for SLE Micro 5 (src):
 golang-github-prometheus-node_exporter-1.5.0-159000.6.2.1, uyuni-tools-0.1.7-159000.3.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2024-05-06 12:31:08 UTC 
SUSE-SU-2024:1509-1: An update that solves 15 vulnerabilities, contains one feature and has four security fixes can now be installed.

Category: security (important)
Bug References: 1008037, 1008038, 1010940, 1019021, 1038785, 1059235, 1099805, 1166389, 1171823, 1174145, 1174302, 1175993, 1177948, 1216854, 1219002, 1219912, 1221092, 1221465, 1222155
CVE References: CVE-2016-8614, CVE-2016-8628, CVE-2016-8647, CVE-2016-9587, CVE-2017-7550, CVE-2018-10874, CVE-2020-10744, CVE-2020-14330, CVE-2020-14332, CVE-2020-14365, CVE-2020-1753, CVE-2023-5764, CVE-2023-6152, CVE-2024-0690, CVE-2024-1313
Jira References: MSQA-760
Maintenance Incident: [SUSE:Maintenance:33434](https://smelt.suse.de/incident/33434/)
Sources used:
openSUSE Leap 15.5 (src):
 spacecmd-4.3.27-150000.3.116.2, POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Client Tools for SLE 15 (src):
 POS_Image-JeOS7-0.1.1710765237.46af599-150000.1.21.2, ansible-2.9.27-150000.1.17.2, spacewalk-client-tools-4.3.19-150000.3.89.2, uyuni-common-libs-4.3.10-150000.1.39.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, mgr-daemon-4.3.9-150000.1.47.2, spacewalk-koan-4.3.6-150000.3.33.2, spacecmd-4.3.27-150000.3.116.2, POS_Image-Graphical7-0.1.1710765237.46af599-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2, grafana-9.5.18-150000.1.63.2
SUSE Manager Client Tools for SLE Micro 5 (src):
 uyuni-proxy-systemd-services-4.3.12-150000.1.21.2, dracut-saltboot-0.1.1710765237.46af599-150000.1.53.2
SUSE Package Hub 15 15-SP5 (src):
 golang-github-prometheus-promu-0.14.0-150000.3.18.2
SUSE Manager Proxy 4.3 Module 4.3 (src):
 ansible-2.9.27-150000.1.17.2, uyuni-proxy-systemd-services-4.3.12-150000.1.21.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Carlos López 2024-05-28 11:44:45 UTC 
Done, closing.