Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Ansible_tower
(Redhat)Repositories |
• https://github.com/kyz/libmspack
• https://github.com/git/git |
#Vulnerabilities | 65 |
Date | Id | Summary | Products | Score | Patch | Annotated |
---|---|---|---|---|---|---|
2019-11-26 | CVE-2019-14890 | A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database at '/api/v2/config' when applying the Ansible Tower license. | Ansible_tower | N/A | ||
2019-10-14 | CVE-2019-14858 | A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task. | Ansible_engine, Ansible_tower | N/A | ||
2018-05-02 | CVE-2018-1104 | Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template to execute arbitrary code on the Tower server. | Ansible_tower, Cloudforms | 8.8 | ||
2018-05-02 | CVE-2018-1101 | Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privilege escalation. System administrators that are members of organizations can have their passwords reset by organization administrators, allowing organization administrators access to the entire system. | Ansible_tower, Cloudforms | 7.2 | ||
2018-08-22 | CVE-2018-10884 | Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An attacker could exploit this by tricking already authenticated users into visiting a malicious site and hijacking the authtoken cookie. | Ansible_tower | 8.8 | ||
2018-08-22 | CVE-2017-7528 | Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarded-For header allows internal servers to deploy other systems (using callback). | Ansible_tower, Cloudforms_management_engine | 6.5 | ||
2018-07-27 | CVE-2017-12148 | A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) definition does not have the 'delete before update' flag set, an attacker with commit access to the upstream playbook source repository could create a Trojan playbook that, when executed by Tower, modifies the checked out SCM repository to add git hooks. These git hooks could, in turn, cause arbitrary command and code execution as the user Tower runs as. | Ansible_tower, Cloudforms | 7.2 | ||
2018-09-11 | CVE-2016-7070 | A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly configures the trust level of postgres user. An attacker could use this vulnerability to gain admin level access to the database. | Ansible_tower | 8.0 | ||
2018-10-23 | CVE-2018-16837 | Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list. | Debian_linux, Ansible_engine, Ansible_tower, Package_hub | 7.8 | ||
2018-07-05 | CVE-2018-12910 | The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname. | Ubuntu_linux, Debian_linux, Libsoup, Ansible_tower, Enterprise_linux_desktop, Enterprise_linux_server, Enterprise_linux_workstation, Openshift_container_platform | 9.8 |