Product:

Ansible

(Redhat)
Repositories https://github.com/ansible/ansible
#Vulnerabilities 45
Date Id Summary Products Score Patch Annotated
2019-01-03 CVE-2018-16876 ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. Ubuntu_linux, Debian_linux, Ansible, Ansible_engine, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation, Openstack, Package_hub 5.3
2019-11-25 CVE-2019-10217 A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. Ansible N/A
2020-02-18 CVE-2014-4967 Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command. Ansible N/A
2020-02-18 CVE-2014-4966 Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. Ansible N/A
2020-02-20 CVE-2014-4678 The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. Debian_linux, Ansible N/A
2020-02-20 CVE-2014-4660 Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format. Ansible N/A
2020-02-20 CVE-2014-4659 Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. Ansible N/A
2020-02-20 CVE-2014-4658 The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. Ansible N/A
2020-02-20 CVE-2014-4657 The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. Ansible N/A
2017-06-07 CVE-2015-6240 The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. Ansible 7.8