Product:

Ansible_engine

(Redhat)
Date Id Summary Products Score Patch Annotated
2020-09-11 CVE-2020-14332 A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality. Debian_linux, Ansible_engine 5.5
2021-04-29 CVE-2021-20228 A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality. Debian_linux, Ansible_automation_platform, Ansible_engine, Ansible_tower 7.5
2018-07-02 CVE-2018-10874 In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. Ansible_engine, Openstack, Virtualization, Virtualization_host 7.8
2020-03-03 CVE-2020-1734 A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts. Ansible_engine, Ansible_tower 7.4
2019-10-08 CVE-2019-14846 In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. Debian_linux, Backports_sle, Leap, Ansible_engine, Openstack 7.8
2018-03-13 CVE-2018-7750 transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step. Debian_linux, Paramiko, Ansible_engine, Cloudforms, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_server_aus, Enterprise_linux_server_eus, Enterprise_linux_server_tus, Enterprise_linux_workstation, Virtualization 9.8
2020-09-23 CVE-2020-14365 A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability. Debian_linux, Ansible_engine, Ansible_tower, Ceph_storage, Openstack_platform 7.1
2021-05-27 CVE-2020-10729 A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6. Debian_linux, Ansible_engine 5.5
2018-07-03 CVE-2018-10855 Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. Ubuntu_linux, Debian_linux, Ansible_engine, Cloudforms, Openstack, Virtualization 5.9
2018-07-13 CVE-2018-10875 A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. Ubuntu_linux, Debian_linux, Ansible_engine, Ceph_storage, Gluster_storage, Openshift, Openstack, Virtualization, Virtualization_host, Package_hub 7.8