CVE-2023-5115
CVE-2023-5115 is a medium-severity vulnerability in Redhat Ansible Automation Platform with a CVSS 3.x base score of 6.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-36.
Key facts
- Severity: Medium (CVSS 3.x base score 6.3)
- EPSS exploit prediction: 1% (54th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-36
- Affected product: Redhat Ansible Automation Platform
- Published:
- Last modified:
Description
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
Frequently asked questions
- What is CVE-2023-5115?
- An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
- How severe is CVE-2023-5115?
- CVE-2023-5115 has a CVSS 3.x base score of 6.3, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is low, integrity high, and availability none.
- Is CVE-2023-5115 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (54th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2023-5115?
- CVE-2023-5115 primarily affects Redhat Ansible Automation Platform. In total, 8 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2023-5115?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2023-5115 published?
- CVE-2023-5115 was published on 2023-12-18 and last updated on 2026-06-17.
References
- https://access.redhat.com/errata/RHSA-2023:5701
- https://access.redhat.com/errata/RHSA-2023:5758
- https://access.redhat.com/security/cve/CVE-2023-5115
- https://bugzilla.redhat.com/show_bug.cgi?id=2233810
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
Affected products (8)
- cpe:2.3:a:redhat:ansible_automation_platform:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_automation_platform:2.3:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_automation_platform:2.4:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_inside:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_inside:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_developer:1.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_developer:1.1:*:*:*:*:*:*:*
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
More vulnerabilities in Redhat Ansible Automation Platform
- CVE-2021-4112 — High (CVSS 8.8): A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw…
- CVE-2023-50782 — High (CVSS 7.5): A flaw was found in the python-cryptography package. This issue may allow a remote attacker to decrypt captured…
- CVE-2023-44487 — High (CVSS 7.5): The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset…
- CVE-2021-20228 — High (CVSS 7.5): A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by…
- CVE-2023-4237 — High (CVSS 7.3): A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the…
- CVE-2023-3971 — High (CVSS 7.3): An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture…
All CVEs affecting Redhat Ansible Automation Platform →
Other CWE-36 vulnerabilities
- CVE-2023-3765 — Critical (CVSS 10.0): Absolute Path Traversal in GitHub repository mlflow/mlflow prior to 2.5.0.
- CVE-2025-34392 — Critical (CVSS 9.8): Barracuda Service Center, as implemented in the RMM solution, in versions prior to 2025.1.1, does not verify the URL…
- CVE-2025-0851 — Critical (CVSS 9.8): A path traversal issue in ZipUtils.unzip and TarUtils.untar in Deep Java Library (DJL) on all platforms allows a bad…
- CVE-2024-13161 — Critical (CVSS 9.8): Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security…
- CVE-2024-13160 — Critical (CVSS 9.8): Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security…
- CVE-2024-13159 — Critical (CVSS 9.8): Absolute path traversal in Ivanti EPM before the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security…