Link Following in ansible
High severity
GitHub Reviewed
Published
Oct 10, 2018
to the GitHub Advisory Database
•
Updated Sep 4, 2024
Package
Affected versions
<= 1.9.6.0
>= 2.0.0.0, <= 2.0.1.0
Patched versions
1.9.6.1
2.0.2.0
Description
Published by the National Vulnerability Database
Jun 3, 2016
Published to the GitHub Advisory Database
Oct 10, 2018
Reviewed
Jun 16, 2020
Last updated
Sep 4, 2024
The
create_script
function in thelxc_container
module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1)/opt/.lxc-attach-script
, (2) the archived container in thearchive_path
directory, or the (3)lxc-attach-script.log
or (4)lxc-attach-script.err
files in the temporary directory.References