Latest redhat ansible automation platform Vulnerabilities

CVE-2024-0690
Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
redhat/ansible<2.14.4
redhat/ansible<2.15.9
redhat/ansible<2.16.3
Redhat Ansible<2.14.4
Redhat Ansible>=2.15.0<2.15.9
Redhat Ansible>=2.16.0<2.16.3
and 12 more
CVE-2023-50782
Python-cryptography: bleichenbacher timing oracle attack against rsa decryption - incomplete fix for cve-2020-25659
Redhat Ansible Automation Platform=2.0
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux=9.0
Redhat Update Infrastructure=4
Python-cryptography Project Python-cryptography<42.0.0
pip/cryptography<42.0.0
and 8 more
CVE-2023-5764
Ansible: template injection
pip/ansible-core<2.14.12
pip/ansible-core>=2.15.0<2.15.8
pip/ansible-core>=2.16.0<2.16.1
Redhat Ansible<2.14.12
Redhat Ansible>=2.15.0<2.15.7
Redhat Ansible=2.16.0
and 11 more
CVE-2023-44487
- Rapid Reset HTTP/2 vulnerability
Microsoft Windows 11=21H2
Microsoft Windows 11=21H2
Microsoft Windows Server 2022
Microsoft Windows Server 2022
Microsoft Windows 11=22H2
Microsoft Windows 11=22H2
and 553 more
CVE-2023-5189
Ansible automation hub: insecure galaxy-importer tarfile extraction
pip/galaxy-importer<=0.4.16
Redhat Ansible Automation Platform=2.0
Redhat Satellite=6.0
CVE-2023-5115
Malicious role archive can cause ansible-galaxy to overwrite arbitrary files
pip/ansible<8.5.0
Redhat Ansible Automation Platform=1.2
Redhat Ansible Automation Platform=2.3
Redhat Ansible Automation Platform=2.4
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux=9.0
and 10 more
CVE-2023-4380
Ansible automation platform: token exposed at importing project
Redhat Ansible Automation Platform=2.4
Redhat Ansible Developer=1.1
Redhat Ansible Inside=1.2
Redhat Enterprise Linux=8.0
Redhat Enterprise Linux=9.0
Redhat Ansible Automation Platform=2.4
and 5 more
CVE-2023-4237
Ansible automation platform: ec2_key module prints out the private key directly to the standard output
Redhat Ansible Automation Platform=2.0
Redhat Ansible Collection
pip/ansible-core>=2.8.0<=2.15.2
CVE-2023-3971
An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a com...
Redhat Ansible Automation Controller<4.3.11
Redhat Ansible Automation Controller=4.4
Redhat Ansible Automation Platform=2.3
Redhat Ansible Automation Platform=2.4
Redhat Ansible Developer=1.0
Redhat Ansible Inside=1.1
and 6 more
CVE-2022-3644
The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.
Pulpproject Pulp Ansible
Redhat Ansible Automation Platform=2.0
Redhat Satellite=6.0
Redhat Update Infrastructure=3.0
CVE-2022-3205
An XSS exists in automation controller UI where the project name is susceptible to XSS injection.POC and INC ticket below
Redhat Ansible Automation Platform=1.2
Redhat Ansible Automation Platform=2.0
CVE-2022-2568
User with 'change user' permissions can change any parameter from a superuser via API but none via UI. This user can even set the 'is_superuser' flag to false and thus remove superuser privileges. HT...
Redhat Ansible Automation Platform=2.1
Redhat Enterprise Linux=8.0
Redhat Ansible Automation Platform=2.2
Redhat Enterprise Linux=9.0
Redhat Ansible Automation Platform=2.0
CVE-2022-1632
A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA seems to skip internal Service TLS certificate validation, errorless serving content even if target Service cer...
Redhat Ansible Automation Platform=2.0
Redhat Openshift Container Platform=4.0
Fedoraproject Fedora=34
Fedoraproject Fedora=35
CVE-2021-4112
A researcher found a trivial bypass for <a href="https://access.redhat.com/security/cve/CVE-2021-20253">CVE-2021-20253</a> by sending a mail to awx user, thereby leveraging postfix to create a folder,...
Redhat Ansible Automation Platform Early Access=2.0
Redhat Ansible Automation Platform Text-only Advisories
Redhat Ansible Tower=3.0
Redhat Ansible Automation Platform=2.0
Redhat Ansible Automation Platform=2.1
Redhat Enterprise Linux=8.0
CVE-2021-3681
Redhat Ansible Automation Platform=1.2
Redhat Ansible Galaxy=3.3.0
CVE-2021-3533
A flaw was found in Ansible if an ansible user sets ANSIBLE_ASYNC_DIR to a subdirectory of a world writable directory. When this occurs, there is a race condition on the managed machine. A malicious, ...
Redhat Ansible Automation Platform=1.2
Redhat Ansible Tower=3.7.0
Redhat Ansible Engine=2.0
Redhat Ansible Tower=3.0
Redhat Enterprise Linux=7.0
Fedoraproject Fedora=34
and 1 more
CVE-2021-3532
A flaw was found in Ansible where the secret information present in async_files are getting disclosed when the user changes the jobdir to a world readable directory. Any secret information in an async...
Redhat Ansible Automation Platform=1.2
Redhat Ansible Tower=3.7.0
Redhat Ansible Engine=2.0
Redhat Ansible Tower=3.0
Redhat Enterprise Linux=7.0
Fedoraproject Fedora=34
and 1 more
CVE-2021-3583
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line...
redhat/ansible_tower<3.7
redhat/ansible_engine<2.9.23
=1.2
<2.9.23
<3.7.0
Redhat Ansible Automation Platform=1.2
and 3 more
CVE-2021-20228
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the `no_log` feature when using the sub-option feature of the basic.py module. This...
pip/ansible<2.8.19
pip/ansible>=2.9.0<2.9.18
pip/ansible>=2.10.0<2.10.7
redhat/ansible-engine<2.9.18
redhat/ansible<0:2.9.18-1.el7ae
redhat/ansible<0:2.9.18-1.el8ae
and 7 more

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203