Filtered by vendor Redhat Subscriptions
Filtered by product Ansible Tower Subscriptions
Total 130 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2020-1733 3 Debian, Fedoraproject, Redhat 7 Debian Linux, Fedora, Ansible and 4 more 2024-08-04 5 Medium
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p <dir>"; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc/<pid>/cmdline'.
CVE-2020-1735 3 Debian, Fedoraproject, Redhat 7 Debian Linux, Fedora, Ansible and 4 more 2024-08-04 4.2 Medium
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
CVE-2020-1734 1 Redhat 2 Ansible Engine, Ansible Tower 2024-08-04 7.4 High
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the ansible facts.
CVE-2021-20253 1 Redhat 2 Ansible Automation Platform, Ansible Tower 2024-08-03 6.7 Medium
A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVE-2021-20228 2 Debian, Redhat 6 Debian Linux, Ansible Automation Platform, Ansible Engine and 3 more 2024-08-03 7.5 High
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from this vulnerability is to confidentiality.
CVE-2021-20191 2 Oracle, Redhat 12 Virtualization, Ansible, Ansible Automation Platform and 9 more 2024-08-03 5.5 Medium
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected.
CVE-2021-20178 2 Fedoraproject, Redhat 7 Fedora, Ansible, Ansible Automation Platform and 4 more 2024-08-03 5.5 Medium
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality.
CVE-2021-4112 1 Redhat 5 Ansible Automation Platform, Ansible Automation Platform Early Access, Ansible Automation Platform Text-only Advisories and 2 more 2024-08-03 8.8 High
A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment.
CVE-2021-3583 1 Redhat 3 Ansible Automation Platform, Ansible Engine, Ansible Tower 2024-08-03 7.1 High
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. This flaw allows attackers to perform command injection, which discloses sensitive information. The highest threat from this vulnerability is to confidentiality and integrity.
CVE-2021-3447 2 Fedoraproject, Redhat 7 Fedora, Ansible, Ansible Automation Platform and 4 more 2024-08-03 5.5 Medium
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2.