CVE-2023-5764 (https://access.redhat.com/errata/RHSA-2023:7773): A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce code injection when supplying templating data. It's hard to tell what versions as they aren't stated by the PR that fixes this on the GitHub is before the latest release on PyPi for 2.16.2 and the RHSA says 2.15.8 is bumped.
Seems like 2.14.12, 2.15.7, and 2.16.1 have the fix: ~/git/ansible $ git log --oneline --all -S'CVE-2023-5764' b8877d2d8b (tag: v2.14.12rc1) New release v2.14.12rc1 (#82303) a1d85b9554 (tag: v2.15.7rc1) New release v2.15.7rc1 (#82302) 5007068bfe (tag: v2.16.1rc1) New release v2.16.1rc1 (#82301) 7239d2d371 Ensure that unsafe is more difficult to lose [stable-2.14] (#82295) fea130480d Ensure that unsafe is more difficult to lose [stable-2.15] (#82294) 270b39f6ff Ensure that unsafe is more difficult to lose [stable-2.16] (#82293) $ git log --oneline --all -S'CVE-2023-5764' | cut -d' ' -f1 | xargs -n1 git --no-pager tag --contains v2.14.12 v2.14.12rc1 v2.14.13 v2.15.7 v2.15.7rc1 v2.15.8 v2.16.1 v2.16.1rc1 v2.16.2 v2.14.12 v2.14.12rc1 v2.14.13 v2.15.7 v2.15.7rc1 v2.15.8 v2.16.1 v2.16.1rc1 v2.16.2 Maintainers, please stabilize.
