CVE-2023-39059
Description
An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Ansible Semaphore v2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload in the extra variables parameter.
Description
CVE-2023-39059 is a remote code execution vulnerability in Ansible Semaphore version 2.8.90. The issue lies in the “Extra Variables” feature, which is directly associated with the ansible-playbook --extra-vars flag. This feature allows users to pass additional variables to a playbook at runtime, and it is accessible via the /project/id/environment endpoint of the web interface [1][3]. The lack of proper sanitization or validation on the extra variables parameter enables an attacker to inject arbitrary commands that are executed by the underlying system.
Exploitation
An attacker who can access the Semaphore web UI (likely an authenticated user with project access) can craft a malicious payload in the extra variables field. The payload is processed by Semaphore and passed unsanitized to the ansible-playbook command, which runs with the privileges of the Semaphore service. This allows the attacker to execute arbitrary operating system commands on the Semaphore server. The vulnerability is remotely exploitable and does not require any special network position beyond access to the web application [1][3].
Impact
Successful exploitation grants the attacker arbitrary code execution on the Semaphore server. Since Semaphore is used to manage infrastructure and run automation tasks, this could lead to full compromise of the server, including access to sensitive credentials, inventory data, and the ability to pivot to other managed systems. The CVSS score has not been officially assigned by NVD, but given the nature and ease of exploitation, the severity is considered high [2][3].
Mitigation
As of the publication date, the vulnerability existed in version 2.8.90. Users are strongly advised to upgrade to a patched version of Ansible Semaphore, as the maintainers have likely addressed the input validation issue. The official GitHub repository for Semaphore UI provides the latest releases and documentation for installation and upgrade procedures [4]. No workaround other than restricting access to the web interface and limiting the use of the extra variables feature has been suggested.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/ansible-semaphore/semaphoreGo | <= 2.8.90 | — |
Affected products
3- ansible/semaphoredescription
- Range: = 2.8.90
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3r32-cp7v-5wq4ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-39059ghsaADVISORY
- gist.github.com/Alevsk/1757da24c5fb8db735d392fd4146ca3aghsaWEB
- www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrationsghsaWEB
- www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/mitre
News mentions
0No linked articles in our index yet.