You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Should at least be mentioned in the docs, yeah.
As I see it - even allowing users to execute playbooks is by design a RCE in the context of the executing user. (when target is localhost)
ansibleguy
changed the title
Problem: Allowing extra-vars might enable code-execution on the server executing the ansible-playbook
Problem: RCE by leveraging extra-vars
Mar 22, 2024
Could be nice-to-have to allow a specific runner user. So the execution context is separated from the WebUI context. (Setting in System config)
P.E. User ansible-webui is running the WebUI and ansible-runner user is executing commands
The WebUI user will need system privileges to become the runner user.
Versions
Scope
Unknown
Issue
It might not be a problem depending on the security model but it can in theory allow someone to gain more access than they should have.
See: GHSA-4839-8mxx-4xr9
The text was updated successfully, but these errors were encountered: