Link Following in ansible
High severity
GitHub Reviewed
Published
Oct 10, 2018
to the GitHub Advisory Database
•
Updated Feb 13, 2023
Package
Affected versions
>= 2.0.0, <= 2.0.1.0
<= 1.9.6.0
Patched versions
2.0.2.0
1.9.6.1
Description
Published by the National Vulnerability Database
Jun 3, 2016
Published to the GitHub Advisory Database
Oct 10, 2018
Reviewed
Jun 16, 2020
Last updated
Feb 13, 2023
The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.
References