Moderate severityNVD Advisory· Published Dec 18, 2023· Updated Nov 20, 2025
Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
CVE-2023-5115
Description
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | < 8.5.0 | 8.5.0 |
Affected products
9cpe:/a:redhat:ansible_automation_platform+ 2 more
- cpe:/a:redhat:ansible_automation_platform
- cpe:/a:redhat:ansible_automation_platform:2.4::el8range: 0:2.15.5-1.el9ap
- cpe:/a:redhat:ansible_automation_platform_developer:2.3::el9range: 0:2.14.11-1.el9ap
- ghsa-coords6 versionspkg:pypi/ansiblepkg:rpm/opensuse/ansible-core-2.17&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-core-2.18&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-core-2.19&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-core-2.20&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ansible-core&distro=openSUSE%20Tumbleweed
< 8.5.0+ 5 more
- (no CPE)range: < 8.5.0
- (no CPE)range: < 2.17.6-1.1
- (no CPE)range: < 2.18.10-2.1
- (no CPE)range: < 2.19.4-1.1
- (no CPE)range: < 2.20.6-1.1
- (no CPE)range: < 2.16.9-1.1
Patches
Vulnerability mechanics
References
9- access.redhat.com/errata/RHSA-2023:5701ghsavendor-advisoryx_refsource_REDHATWEB
- access.redhat.com/errata/RHSA-2023:5758ghsavendor-advisoryx_refsource_REDHATWEB
- github.com/advisories/GHSA-jpvw-p8pr-9g2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-5115ghsaADVISORY
- access.redhat.com/security/cve/CVE-2023-5115ghsavdb-entryx_refsource_REDHATWEB
- bugzilla.redhat.com/show_bug.cgighsaissue-trackingx_refsource_REDHATWEB
- github.com/ansible-community/ansible-build-data/blob/16d36538b96c65d9e0e28d89781361b69857ac0e/8/CHANGELOG-v8.rstghsaWEB
- github.com/ansible/ansible/commit/1e930684bc0a76ec3d094cd326738ad26416541cghsaWEB
- lists.debian.org/debian-lts-announce/2023/12/msg00018.htmlghsaWEB
News mentions
0No linked articles in our index yet.