Upstream information

CVE-2024-11079 at MITRE

Description

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.

SUSE information

Overall state of this security issue: Pending

This issue is currently rated as having moderate severity.

CVSS v3 Scores
  CNA (Red Hat) SUSE
Base Score 5.5 5.5
Vector CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector Network Network
Attack Complexity High High
Privileges Required Low Low
User Interaction Required Required
Scope Changed Changed
Confidentiality Impact Low Low
Integrity Impact Low Low
Availability Impact Low Low
CVSSv3 Version 3.1 3.1
CVSS v4 Scores
  SUSE
Base Score 2
Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:A/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
Attack Vector Network
Attack Complexity Low
Attack Requirements Present
Privileges Required Low
User Interaction Active
Vulnerable System Confidentiality Impact Low
Vulnerable System Integrity Impact Low
Vulnerable System Availability Impact Low
Subsequent System Confidentiality Impact Low
Subsequent System Integrity Impact Low
Subsequent System Availability Impact Low
CVSSv4 Version 4.0
SUSE Bugzilla entry: 1233276 [NEW]

SUSE Security Advisories:

List of released packages

Product(s) Fixed package version(s) References
openSUSE Tumbleweed
  • ansible-core >= 2.18.1-1.1
  • ansible-core-2.16 >= 2.16.14-1.1
  • ansible-core-2.17 >= 2.17.7-1.1
  • ansible-test >= 2.18.1-1.1
  • ansible-test-2.16 >= 2.16.14-1.1
  • ansible-test-2.17 >= 2.17.7-1.1
Patchnames:
openSUSE-Tumbleweed-2024-14545
openSUSE-Tumbleweed-2024-14546
openSUSE-Tumbleweed-2024-14547


SUSE Timeline for this CVE

CVE page created: Mon Nov 11 14:00:02 2024
CVE page last modified: Wed Dec 11 11:55:40 2024