Filtered by vendor Redhat
Subscriptions
Filtered by product Ansible Automation Platform
Subscriptions
Total
130 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2021-3620 | 1 Redhat | 12 Ansible Automation Platform, Ansible Automation Platform Early Access, Ansible Engine and 9 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2021-3583 | 1 Redhat | 3 Ansible Automation Platform, Ansible Engine, Ansible Tower | 2024-11-21 | 7.1 High |
| A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity. | ||||
| CVE-2021-3447 | 2 Fedoraproject, Redhat | 7 Fedora, Ansible, Ansible Automation Platform and 4 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2. | ||||
| CVE-2021-3281 | 4 Djangoproject, Fedoraproject, Netapp and 1 more | 5 Django, Fedora, Snapcenter and 2 more | 2024-11-21 | 5.3 Medium |
| In Django 2.2 before 2.2.18, 3.0 before 3.0.12, and 3.1 before 3.1.6, the django.utils.archive.extract method (used by "startapp --template" and "startproject --template") allows directory traversal via an archive with absolute paths or relative paths with dot segments. | ||||
| CVE-2021-33503 | 4 Fedoraproject, Oracle, Python and 1 more | 10 Fedora, Enterprise Manager Ops Center, Instantis Enterprisetrack and 7 more | 2024-11-21 | 7.5 High |
| An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect. | ||||
| CVE-2021-32028 | 2 Postgresql, Redhat | 5 Postgresql, Ansible Automation Platform, Enterprise Linux and 2 more | 2024-11-21 | 6.5 Medium |
| A flaw was found in postgresql. Using an INSERT ... ON CONFLICT ... DO UPDATE command on a purpose-crafted table, an authenticated database user could read arbitrary bytes of server memory. The highest threat from this vulnerability is to data confidentiality. | ||||
| CVE-2021-32027 | 2 Postgresql, Redhat | 7 Postgresql, Ansible Automation Platform, Enterprise Linux and 4 more | 2024-11-21 | 8.8 High |
| A flaw was found in postgresql in versions before 13.3, before 12.7, before 11.12, before 10.17 and before 9.6.22. While modifying certain SQL array values, missing bounds checks let authenticated database users write arbitrary bytes to a wide area of server memory. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
| CVE-2021-31535 | 3 Fedoraproject, Redhat, X.org | 5 Fedora, Ansible Automation Platform, Enterprise Linux and 2 more | 2024-11-21 | 9.8 Critical |
| LookupCol.c in X.Org X through X11R7.7 and libX11 before 1.7.1 might allow remote attackers to execute arbitrary code. The libX11 XLookupColor request (intended for server-side color lookup) contains a flaw allowing a client to send color-name requests with a name longer than the maximum size allowed by the protocol (and also longer than the maximum packet size for normal-sized packets). The user-controlled data exceeding the maximum size is then interpreted by the server as additional X protocol requests and executed, e.g., to disable X server authorization completely. For example, if the victim encounters malicious terminal control sequences for color codes, then the attacker may be able to take full control of the running graphical session. | ||||
| CVE-2021-27291 | 4 Debian, Fedoraproject, Pygments and 1 more | 6 Debian Linux, Fedora, Pygments and 3 more | 2024-11-21 | 7.5 High |
| In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service. | ||||
| CVE-2021-23980 | 2 Mozilla, Redhat | 2 Bleach, Ansible Automation Platform | 2024-11-21 | 6.1 Medium |
| A mutation XSS affects users calling bleach.clean with all of: svg or math in the allowed tags p or br in allowed tags style, title, noscript, script, textarea, noframes, iframe, or xmp in allowed tags the keyword argument strip_comments=False Note: none of the above tags are in the default allowed tags and strip_comments defaults to True. | ||||
| CVE-2021-23017 | 6 F5, Fedoraproject, Netapp and 3 more | 19 Nginx, Fedora, Ontap Select Deploy Administration Utility and 16 more | 2024-11-21 | 7.7 High |
| A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process crash or potential other impact. | ||||
| CVE-2021-20270 | 4 Debian, Fedoraproject, Pygments and 1 more | 9 Debian Linux, Fedora, Pygments and 6 more | 2024-11-21 | 7.5 High |
| An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword. | ||||
| CVE-2021-20253 | 1 Redhat | 2 Ansible Automation Platform, Ansible Tower | 2024-11-21 | 6.7 Medium |
| A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability. | ||||
| CVE-2021-20228 | 2 Debian, Redhat | 6 Debian Linux, Ansible Automation Platform, Ansible Engine and 3 more | 2024-11-21 | 7.5 High |
| A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2021-20191 | 2 Oracle, Redhat | 12 Virtualization, Ansible, Ansible Automation Platform and 9 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. | ||||
| CVE-2021-20180 | 1 Redhat | 5 Ansible, Ansible Automation Platform, Ansible Engine and 2 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2021-20178 | 2 Fedoraproject, Redhat | 7 Fedora, Ansible, Ansible Automation Platform and 4 more | 2024-11-21 | 5.5 Medium |
| A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. | ||||
| CVE-2020-7789 | 2 Node-notifier Project, Redhat | 2 Node-notifier, Ansible Automation Platform | 2024-11-21 | 5.6 Medium |
| This affects the package node-notifier before 9.0.0. It allows an attacker to run arbitrary commands on Linux machines due to the options params not being sanitised when being passed an array. | ||||
| CVE-2020-35678 | 2 Crossbar, Redhat | 3 Autobahn, Ansible Automation Platform, Ansible Tower | 2024-11-21 | 6.1 Medium |
| Autobahn|Python before 20.12.3 allows redirect header injection. | ||||
| CVE-2020-15366 | 2 Ajv.js, Redhat | 6 Ajv, Ansible Automation Platform, Enterprise Linux and 3 more | 2024-11-21 | 5.6 Medium |
| An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.) | ||||