Login Sign Up

CVE-2023-39059

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2023-39059 is a remote code execution vulnerability in Ansible Semaphore where an attacker can execute arbitrary commands via crafted extra variables. This affects administrators and users of vulnerable Semaphore instances, potentially allowing complete system compromise.

💻 Affected Systems

Products:
  • Ansible Semaphore
Versions: v2.8.90 and potentially earlier versions
Operating Systems: All platforms running Ansible Semaphore
Default Config Vulnerable: ⚠️ Yes
Notes: Affects instances where extra variables feature is enabled and accessible.

📦 What is this software?

Ansible Semaphore by Ansible Semaphore

View all CVEs affecting Ansible Semaphore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining root/administrator privileges, data exfiltration, lateral movement, and persistent backdoor installation.

🟠

Likely Case

Unauthorized command execution leading to service disruption, data manipulation, and potential privilege escalation within the Semaphore environment.

🟢

If Mitigated

Limited impact with proper input validation and execution sandboxing, potentially only affecting Semaphore application data.

🌐 Internet-Facing: HIGH - Remote attackers can exploit without authentication if instance is exposed to internet.
🏢 Internal Only: MEDIUM - Requires internal network access but still poses significant risk to infrastructure.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit involves crafting malicious payload in extra variables parameter, with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.8.91 or later

Vendor Advisory: https://github.com/ansible-semaphore/semaphore/releases

Restart Required: Yes

Instructions:

1. Backup current configuration and data. 2. Stop Semaphore service. 3. Update to v2.8.91 or later using package manager or manual download. 4. Restart Semaphore service. 5. Verify version and functionality.

🔧 Temporary Workarounds

Disable Extra Variables

all

Temporarily disable or restrict access to extra variables functionality

Modify Semaphore configuration to disable extra_vars feature

Network Segmentation

all

Restrict network access to Semaphore instance

Configure firewall rules to limit access to trusted IPs only

🧯 If You Can't Patch

  • Implement strict input validation and sanitization for extra variables
  • Deploy Semaphore in isolated network segment with minimal privileges

🔍 How to Verify

Check if Vulnerable:

Check if Semaphore version is v2.8.90 or earlier and extra variables feature is accessible

Check Version:

semaphore --version or check web interface about page

Verify Fix Applied:

Confirm version is v2.8.91 or later and test extra variables functionality with safe payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution patterns
  • Suspicious extra variables payloads
  • Unexpected process creation

Network Indicators:

  • Anomalous outbound connections from Semaphore host
  • Unexpected command and control traffic

SIEM Query:

source="semaphore.log" AND ("extra_vars" OR "command_execution") AND suspicious_patterns

📊 Metadata

CVE ID: CVE-2023-39059
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-94
Published: August 28, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-39059, you might also want to check these:

CVE-2025-62521 10.0

CVE-2025-62521 is a critical pre-authentication remote code execution vulnerability in ChurchCRM tha...

Same vulnerability type (CWE-94)
CVE-2026-26216 10.0

Crawl4AI versions before 0.8.0 contain an unauthenticated remote code execution vulnerability in the...

Same vulnerability type (CWE-94)
CVE-2021-22205 10.0

CVE-2021-22205 is a critical remote code execution vulnerability in GitLab CE/EE where improper vali...

Same vulnerability type (CWE-94)