CVE-2024-11079
Ansible-core: unsafe tagging bypass via hostvars object in ansible-core
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
An update is now available for Red Hat Ansible Automation Platform Execution Environments. Issues addressed include a bypass vulnerability.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-11-11 CVE Reserved
- 2024-11-11 CVE Published
- 2025-03-14 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-20: Improper Input Validation
CAPEC
References (4)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-11079 | 2024-11-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2325171 | 2024-11-12 | |
| https://access.redhat.com/errata/RHSA-2024:10770 | 2025-03-14 | |
| https://access.redhat.com/errata/RHSA-2024:11145 | 2025-03-14 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Red Hat Search vendor "Red Hat" | Enterprise Linux Search vendor "Red Hat" for product "Enterprise Linux" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Automation Platform Search vendor "Redhat" for product "Ansible Automation Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Automation Platform Developer Search vendor "Redhat" for product "Ansible Automation Platform Developer" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Ansible Automation Platform Inside Search vendor "Redhat" for product "Ansible Automation Platform Inside" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Ai Search vendor "Redhat" for product "Enterprise Linux Ai" | * | - |
Affected
| ||||||