Miggo Logo

CVE-2015-6240: Ansible Sandbox Escape via Symlink Attack

7.8

CVSS Score
3.0

Basic Information

EPSS Score
0.0896%
Published
5/13/2022
Updated
8/30/2024
KEV Status
No
Technology
TechnologyPython

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ansiblepip< 1.9.21.9.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how file transfer functions (put_file/fetch_file) in chroot/jail/zone connection plugins handled paths. Pre-patch versions constructed target paths by naively joining the restricted environment's root directory with user-supplied paths, then used shutil.copyfile. This allowed symlinks within the restricted environment to resolve to host filesystem paths. The patches replaced this with in-environment 'dd' execution, ensuring symlinks are resolved within the restricted environment. The affected functions are clearly identified in commit diffs and CVE descriptions, with high confidence due to direct correlation between the vulnerability mechanism and the patched code changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** **root, j*il, *n* zon* *onn**tion plu*ins in *nsi*l* ***or* *.*.* *llow lo**l us*rs to *s**p* * r*stri*t** *nvironm*nt vi* * symlink *tt**k.

Reasoning

T** vuln*r**ility st*ms *rom *ow *il* tr*ns**r *un*tions (put_*il*/**t**_*il*) in **root/j*il/zon* *onn**tion plu*ins **n*l** p*t*s. Pr*-p*t** v*rsions *onstru*t** t*r**t p*t*s *y n*iv*ly joinin* t** r*stri*t** *nvironm*nt's root *ir**tory wit* us*r-