Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ansible
(Redhat)| Repositories | https://github.com/ansible/ansible |
| #Vulnerabilities | 45 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-03-27 | CVE-2019-3828 | Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. | Ansible | 4.2 | ||
| 2013-09-16 | CVE-2013-4259 | runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. | Ansible | N/A | ||
| 2013-09-16 | CVE-2013-4260 | lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/. | Ansible | N/A | ||
| 2016-06-03 | CVE-2016-3096 | The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory. | Fedora, Ansible | 7.8 | ||
| 2017-11-21 | CVE-2017-7550 | A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. | Ansible, Enterprise_linux_server | 9.8 | ||
| 2020-01-02 | CVE-2019-14864 | Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data. | Debian_linux, Backports_sle, Leap, Ansible, Ansible_tower, Ceph_storage, Cloudforms_management_engine, Enterprise_linux | 6.5 | ||
| 2019-07-30 | CVE-2019-10156 | A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. | Debian_linux, Ansible, Openstack | 5.4 | ||
| 2022-03-16 | CVE-2021-20180 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | Ansible | 5.5 | ||
| 2018-06-22 | CVE-2017-7466 | Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. | Ansible, Openstack | 8.0 | ||
| 2019-11-26 | CVE-2019-14856 | ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None | Backports_sle, Leap, Ansible, Openstack | 6.5 |