CVE-2024-11079: Ansible-core: unsafe tagging bypass via hostvars object in ansible-core
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
Security readout for executives and security teams
Plain-English summary
CVE-2024-11079 affects ansible-core behavior used by Ansible Automation Platform. In certain playbooks, untrusted data can bypass Ansible’s unsafe-content protections through hostvars and be executed as templated content. Business urgency is moderate: exploitation requires specific playbook patterns, privileges, and user interaction, but automation platforms often have broad infrastructure reach.
Executive priority
Address during the next security update cycle, sooner for automation controlling production or privileged infrastructure. The score is medium, but Ansible’s operational reach can amplify impact when vulnerable playbook patterns exist.
Technical view
The flaw is an unsafe tagging bypass in ansible-core involving the hostvars object. If remote data or module output is improperly templated inside playbooks, an attacker may influence templating and potentially achieve arbitrary code execution. CVSS 3.1 is 5.5 with high attack complexity, low privileges required, user interaction required, and changed scope.
Likely exposure
Most exposure is in environments running affected Red Hat Ansible Automation Platform 2.5 ansible-core packages, listed execution environment images, or listed RHEL AI images. RHEL 10 is marked unaffected. Exposure depends heavily on whether playbooks template untrusted remote data or module outputs via hostvars.
Exploitation context
The bundle does not show CISA KEV listing or cited active exploitation. Practical exploitation appears conditional: an attacker needs influence over data consumed by playbooks and a vulnerable templating pattern. The risk increases where Ansible automation processes data from less-trusted hosts, inventories, or module results.
Researcher notes
Key uncertainty is environmental: the vulnerability requires unsafe playbook templating patterns. Sources identify affected Red Hat products and errata, but do not provide evidence of active exploitation. Validate both package exposure and playbook data-flow exposure before assigning emergency priority.
Mitigation direction
Apply Red Hat errata RHSA-2024:10770 and RHSA-2024:11145 where applicable.
Update affected ansible-core packages and execution environment images per vendor guidance.
Review Debian LTS guidance if using Debian-packaged ansible-core.
Avoid templating untrusted remote data or module outputs through hostvars.
Treat inventory, host facts, and module outputs as untrusted unless controlled.
Validation and detection
Inventory ansible-core versions across controllers and execution environments.
Compare Red Hat package versions against the affected list and errata.
Identify playbooks using hostvars with remote data or module outputs.
Prioritize automation touching privileged systems or broad infrastructure groups.
Confirm updated execution environment images are actually used by jobs.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · low confidence lookup
CWE-20: Exact CWE lookup
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
The CVE wording references code or command execution, so execution technique review may help defensive triage. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-20 · source CWE mapping
Improper Input Validation
Improper Input Validation represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.