Latest redhat ansible Vulnerabilities

CVE-2024-0690
Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
pip/ansible-core>=2.15.0<2.15.9
pip/ansible-core>=2.16.0<2.16.3
pip/ansible-core<2.14.14
redhat/ansible<2.14.4
redhat/ansible<2.15.9
redhat/ansible<2.16.3
and 24 more
CVE-2023-5764
Ansible: template injection
pip/ansible-core<2.14.12
pip/ansible-core>=2.15.0<2.15.8
pip/ansible-core>=2.16.0<2.16.1
Redhat Ansible<2.14.12
Redhat Ansible>=2.15.0<2.15.7
Redhat Ansible=2.16.0
and 11 more
CVE-2022-3697
A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this iss...
>=2.5.0<2.10.0
<2.0.0
>=2.1.0<5.1.0
Redhat Ansible>=2.5.0<2.10.0
Redhat Ansible Collection<2.0.0
Redhat Ansible Collection>=2.1.0<5.1.0
and 1 more
CVE-2021-3447
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller...
redhat/ansible<0:2.9.20-1.el7ae
redhat/ansible<0:2.9.20-1.el8ae
redhat/redhat-virtualization-host<0:4.4.7-20210715.1.el8_4
redhat/ansible<0:2.9.21-1.el8ae
redhat/Red Hat Ansible Automation Platform<1.2.2
redhat/Ansible Tower<3.8.2
and 10 more
CVE-2021-20191
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of...
redhat/ansible<0:2.9.18-1.el7ae
redhat/ansible<0:2.9.18-1.el8ae
redhat/ansible<2.9.18
=4.0
<2.8.19
>=2.9.0<2.9.18
and 24 more
CVE-2021-20180
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw ...
redhat/ansible<0:2.9.18-1.el7ae
redhat/ansible<0:2.9.18-1.el8ae
Redhat Ansible<2.9.18
CVE-2021-20178
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw ...
redhat/ansible<0:2.9.18-1.el7ae
redhat/ansible<0:2.9.18-1.el8ae
Redhat Ansible<2.9.18
Redhat Ansible Tower=3.0
Fedoraproject Fedora=32
Fedoraproject Fedora=33
and 2 more
CVE-2020-25635
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. Thi...
Redhat Ansible=2.10.1-rc2
CVE-2020-25636
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have...
Redhat Ansible=2.10.1-rc2
CVE-2020-10744
An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the ...
Redhat Ansible>=2.7.0<=2.7.18
Redhat Ansible>=2.8.0<=2.8.12
Redhat Ansible>=2.9.0<=2.9.9
Redhat Ansible Tower>=3.4.0<=3.4.5
Redhat Ansible Tower>=3.5.0<=3.5.6
Redhat Ansible Tower>=3.6.0<=3.6.4
CVE-2020-10684
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable whe...
pip/ansible>=2.9.0<2.9.6
pip/ansible>=2.8.0<2.8.9
pip/ansible>=2.7.0<2.7.17
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
and 13 more
CVE-2020-1738
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be sel...
Redhat Ansible<=2.7.16
Redhat Ansible>=2.8.0<=2.8.8
Redhat Ansible>=2.9.0<=2.9.5
Redhat Ansible Tower<=3.3.4
Redhat Ansible Tower>=3.3.5<=3.4.5
Redhat Ansible Tower>=3.5.0<=3.5.5
and 3 more
CVE-2014-4657
The `safe_eval` function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.
pip/ansible<1.5.4
Redhat Ansible<1.5.4
CVE-2014-4659
Ansible before 1.5.5 sets 0644 permissions for `sources.list`, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the `...
Redhat Ansible<1.5.5
pip/ansible<1.5.5
<1.5.5
CVE-2014-4658
The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.
pip/ansible<1.5.5
Redhat Ansible<1.5.5
CVE-2014-4660
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in `sources.list`, which might allow local users to obtain sensitive credential information in o...
Redhat Ansible<1.5.5
debian/ansible
CVE-2014-4678
The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability ex...
Redhat Ansible<1.6.4
Debian Debian Linux=8.0
Debian Debian Linux=9.0
Debian Debian Linux=10.0
pip/ansible<1.6.4
debian/ansible
CVE-2014-4967
Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as de...
Redhat Ansible<1.6.7
pip/ansible<1.6.7
CVE-2014-4966
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code v...
Redhat Ansible<1.6.7
pip/ansible<1.6.7
CVE-2020-1740
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, a...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
redhat/ansible<0:2.7.17-1.el7ae
redhat/ansible<0:2.8.11-1.el7ae
redhat/ansible<0:2.8.11-1.el8ae
and 17 more
CVE-2020-1739
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to othe...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
Redhat Ansible<=2.7.16
Redhat Ansible>=2.8.0<=2.8.8
Redhat Ansible>=2.9.0<=2.9.5
and 12 more
CVE-2020-1735
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All vers...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
Redhat Ansible<2.7.17
Redhat Ansible>=2.8.0<2.8.11
Redhat Ansible>=2.9.0<2.9.7
and 11 more
CVE-2020-1733
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with b...
redhat/ansible-engine<2.7.17
redhat/ansible-engine<2.8.11
redhat/ansible-engine<2.9.7
redhat/ansible<0:2.7.17-1.el7ae
redhat/ansible<0:2.8.11-1.el7ae
redhat/ansible<0:2.8.11-1.el8ae
and 17 more
CVE-2014-2686
Ansible prior to 1.5.4 mishandles the evaluation of some strings.
Redhat Ansible<1.5.4
CVE-2019-14864
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used ...
debian/ansible
Redhat Ansible>=2.7.0<2.7.15
Redhat Ansible>=2.8.0<2.8.7
Redhat Ansible>=2.9.0<2.9.1
Redhat Ansible Tower=3.0
Redhat Ceph Storage=3.0
and 7 more
CVE-2019-14904
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' ba...
redhat/ansible-engine<2.9.4
redhat/ansible-engine<2.8.8
redhat/ansible-engine<2.7.16
Redhat Ansible<2.7.15
Redhat Ansible>=2.8.0<2.8.7
Redhat Ansible>=2.9.0<2.9.2
and 3 more
CVE-2019-14856
A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with...
Redhat Ansible>=2.6.0<2.6.20
Redhat Ansible>=2.7.0<2.7.14
Redhat Ansible>=2.8.0<2.8.6
openSUSE Backports SLE=15.0-sp1
openSUSE Leap=15.1
Redhat Openstack=13
and 3 more
CVE-2019-10217
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_conten...
Redhat Ansible>=2.8.0<2.8.4
CVE-2019-10206
ansible-playbook -k and ansible cli tools prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and expos...
Redhat Ansible>=2.6.0<2.6.19
Redhat Ansible>=2.7.0<2.7.13
Redhat Ansible>=2.8.0<2.8.4
Debian Debian Linux=10.0
openSUSE Backports SLE=15.0-sp1
openSUSE Leap=15.1
and 7 more
CVE-2019-10156
[ansible_password] in the ~/.ssh/authorized_keys file is repalced by administrator's password on remote node by templating. Upstream pull: <a href="https://github.com/ansible/ansible/pull/57188">htt...
Redhat Ansible<2.6.18
Redhat Ansible>=2.7.0<2.7.12
Redhat Ansible>=2.8.0<2.8.2
Redhat Openstack=13
Redhat Openstack=14
Debian Debian Linux=8.0
and 7 more
CVE-2019-3828
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible contr...
Redhat Ansible>=2.5.0<2.5.15
Redhat Ansible>=2.6.0<2.6.14
Redhat Ansible>=2.7.0<2.7.8
pip/ansible>=2.7.0<2.7.8
pip/ansible>=2.6.0<2.6.14
pip/ansible<2.5.15
and 5 more
CVE-2018-16876
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.
Redhat Ansible>=2.5.0<2.5.14
Redhat Ansible>=2.6.0<2.6.11
Redhat Ansible>=2.7.0<2.7.5
Debian Debian Linux=9.0
Redhat Ansible Engine=2.0
Redhat Ansible Engine=2.5
and 21 more
CVE-2016-8614
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and in...
Redhat Ansible<2.2.0

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203