CVE-2023-5764: 
Ansible vulnerability analysis and mitigation

A template injection vulnerability (CVE-2023-5764) was discovered in Ansible, affecting versions prior to 2.14.12 and versions from 2.15.0 up to (excluding) 2.15.7. The vulnerability was found in Ansible's controller internal templating operations where the unsafe designation from template data may be removed. This vulnerability was disclosed on December 12, 2023, affecting various Ansible products including Ansible Automation Platform, Ansible Developer, and Ansible Inside (NVD, Red Hat).

The vulnerability has been assigned a CVSS v3.1 base score of 7.8 (High) with the vector CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The technical nature of the flaw involves internal templating operations that may errantly remove the unsafe designation from template data, potentially allowing template injection when processing user-supplied templating data (NVD, Red Hat Bugzilla).

The successful exploitation of this vulnerability could lead to multiple severe impacts including disclosure of sensitive information, addition or modification of data, and potential Denial of Service (DoS). The high CVSS score reflects the significant potential impact on confidentiality, integrity, and availability of affected systems (NetApp Advisory).

Red Hat has released security updates to address this vulnerability in Ansible Automation Platform 2.4 for RHEL 8 and RHEL 9. The fix is available in ansible-core version 2.15.8. Users are advised to upgrade to the latest versions of affected packages (Red Hat Advisory, Fedora Update).