Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ansible
(Redhat)| Repositories | https://github.com/ansible/ansible |
| #Vulnerabilities | 45 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2019-11-22 | CVE-2019-10206 | ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. | Debian_linux, Backports_sle, Leap, Ansible | 6.5 | ||
| 2021-04-01 | CVE-2021-3447 | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data... | Fedora, Ansible, Ansible_tower | 5.5 | ||
| 2021-05-26 | CVE-2021-20178 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | Fedora, Ansible, Ansible_tower | 5.5 | ||
| 2021-05-26 | CVE-2021-20191 | A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. | Virtualization, Ansible, Ansible_tower, Cisco_nx\-Os_collection, Community_general_collection, Community_network_collection, Docker_community_collection, Google_cloud_platform_ansible_collection | 5.5 | ||
| 2022-10-28 | CVE-2022-3697 | A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. | Ansible, Ansible_collection | 7.5 | ||
| 2018-04-24 | CVE-2016-9587 | Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. | Ansible, Ansible, Openstack | 8.1 | ||
| 2018-07-31 | CVE-2016-8628 | Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. | Ansible | 9.1 | ||
| 2018-07-31 | CVE-2016-8614 | A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. | Ansible | 7.5 | ||
| 2020-01-09 | CVE-2014-2686 | Ansible prior to 1.5.4 mishandles the evaluation of some strings. | Ansible | 7.5 | ||
| 2020-03-11 | CVE-2020-1733 | A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target... | Debian_linux, Fedora, Ansible, Ansible_tower, Cloudforms_management_engine, Openstack | 5.0 |