Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ansible
(Redhat)| Repositories | https://github.com/ansible/ansible |
| #Vulnerabilities | 45 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2020-02-18 | CVE-2014-4966 | Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. | Ansible | N/A | ||
| 2020-02-20 | CVE-2014-4678 | The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. | Debian_linux, Ansible | N/A | ||
| 2020-02-20 | CVE-2014-4660 | Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format. | Ansible | N/A | ||
| 2020-02-20 | CVE-2014-4659 | Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. | Ansible | N/A | ||
| 2020-02-20 | CVE-2014-4658 | The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. | Ansible | N/A | ||
| 2020-02-20 | CVE-2014-4657 | The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. | Ansible | N/A | ||
| 2017-06-07 | CVE-2015-6240 | The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. | Ansible | 7.8 | ||
| 2015-08-12 | CVE-2015-3908 | Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | Ansible | N/A | ||
| 2017-06-08 | CVE-2014-3498 | The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. | Ansible | 8.8 | ||
| 2018-05-04 | CVE-2013-2233 | Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. | Ansible | 7.4 |