CVE-2023-5764 – This CVE describes a template injection vulnera... (How to Fix)

Q: What is the severity of CVE-2023-5764?

CVE-2023-5764 has a CVSS score of 7.1 (HIGH). This CVE describes a template injection vulnerability in Ansible where unsafe template data can be executed, potentially allowing attackers to run arbitrary code. It affects Ansible users who process untrusted template data. The vulnerability stems from improper handling of template safety designations.

📋 TL;DR

This CVE describes a template injection vulnerability in Ansible where unsafe template data can be executed, potentially allowing attackers to run arbitrary code. It affects Ansible users who process untrusted template data. The vulnerability stems from improper handling of template safety designations.

💻 Affected Systems

Products:

Ansible
Red Hat Ansible Automation Platform

Versions: Ansible Core 2.14.0 to 2.14.10, Ansible Core 2.15.0 to 2.15.5, Ansible Core 2.16.0

Operating Systems: All platforms running affected Ansible versions

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability requires processing of untrusted template data; standard playbooks may not be affected unless they handle external input.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the infrastructure.

🟠

Likely Case

Privilege escalation within Ansible-controlled systems, unauthorized configuration changes, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and restricted template processing, potentially causing minor configuration issues.

🌐 Internet-Facing: MEDIUM - While Ansible typically runs internally, exposed API endpoints or automation servers could be targeted.

🏢 Internal Only: HIGH - Ansible is commonly used for internal automation, making internal systems primary targets for exploitation.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires attacker to supply malicious template data to vulnerable Ansible operations; no public exploits known at this time.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Ansible Core 2.14.11, 2.15.6, 2.16.1

Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:7773

Restart Required: No

Instructions:

1. Update Ansible Core using pip: 'pip install --upgrade ansible-core==2.14.11' (or appropriate version). 2. For Red Hat Ansible Automation Platform, apply updates via subscription manager. 3. Verify no breaking changes in your playbooks after update.

🔧 Temporary Workarounds

Restrict Template Processing

all

Avoid processing untrusted template data in Ansible operations

# Review playbooks to ensure template data sources are trusted
# Implement input validation for any external template inputs

Use Jinja2 Sandboxing

all

Enable Jinja2 sandbox environment for template processing

ansible-config set DEFAULT_JINJA2_SANDBOX true
# Configure in ansible.cfg: jinja2_sandbox = True

🧯 If You Can't Patch

Implement strict input validation for all template data sources
Isolate Ansible controller from untrusted networks and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Ansible version: 'ansible --version' and verify if within affected ranges (2.14.0-2.14.10, 2.15.0-2.15.5, 2.16.0).

Check Version:

ansible --version | head -1

Verify Fix Applied:

Confirm version is 2.14.11+, 2.15.6+, or 2.16.1+ using 'ansible --version'.

📡 Detection & Monitoring

Log Indicators:

Unusual template processing errors in Ansible logs
Unexpected Jinja2 template execution patterns
Ansible controller processing unexpected external files

Network Indicators:

Ansible controller receiving template data from untrusted sources
Unusual outbound connections from Ansible controller post-template processing

SIEM Query:

source="ansible.log" AND ("template injection" OR "unsafe template" OR "Jinja2 error")

📊 Metadata

CVE ID: CVE-2023-5764

CVSS v3 Score: 7.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-1336

Published: December 12, 2023

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2023:7773 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-5764 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2247629 Issue Tracking,Patch,Vendor Advisory
https://access.redhat.com/errata/RHSA-2023:7773 Vendor Advisory
https://access.redhat.com/security/cve/CVE-2023-5764 Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2247629 Issue Tracking,Patch,Vendor Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU/
https://security.netapp.com/advisory/ntap-20241025-0001/

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-5764, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Ansible by Redhat

Ansible by Redhat

Ansible by Redhat

Ansible by Redhat

Ansible by Redhat

Ansible by Redhat

Ansible Automation Platform by Redhat

Ansible Developer by Redhat

Ansible Inside by Redhat

Extra Packages For Enterprise Linux by Fedoraproject

Fedora by Fedoraproject

Fedora by Fedoraproject

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Template Processing

Use Jinja2 Sandboxing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities