Filtered by vendor Redhat
Subscriptions
Filtered by product Ansible
Subscriptions
Total
45 CVE
CVE | Vendors | Products | Updated | CVSS v3.1 |
---|---|---|---|---|
CVE-2023-5764 | 2 Fedoraproject, Redhat | 9 Extra Packages For Enterprise Linux, Fedora, Ansible and 6 more | 2024-10-25 | 7.1 High |
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. | ||||
CVE-2024-0690 | 2 Fedoraproject, Redhat | 8 Fedora, Ansible, Ansible Automation Platform and 5 more | 2024-09-16 | 5 Medium |
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. | ||||
CVE-2013-4260 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/. | ||||
CVE-2013-4259 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. | ||||
CVE-2013-2233 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. | ||||
CVE-2014-4966 | 1 Redhat | 1 Ansible | 2024-08-06 | 9.8 Critical |
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. | ||||
CVE-2014-4967 | 1 Redhat | 1 Ansible | 2024-08-06 | 9.8 Critical |
Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a trailing " validate=" clause accompanied by a shell command. | ||||
CVE-2014-4678 | 2 Debian, Redhat | 2 Debian Linux, Ansible | 2024-08-06 | 9.8 Critical |
The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657. | ||||
CVE-2014-4660 | 1 Redhat | 1 Ansible | 2024-08-06 | 5.5 Medium |
Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format. | ||||
CVE-2014-4658 | 1 Redhat | 1 Ansible | 2024-08-06 | 5.5 Medium |
The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. | ||||
CVE-2014-4657 | 1 Redhat | 1 Ansible | 2024-08-06 | 9.8 Critical |
The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. | ||||
CVE-2014-4659 | 1 Redhat | 1 Ansible | 2024-08-06 | 5.5 Medium |
Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. | ||||
CVE-2014-3498 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. | ||||
CVE-2014-2686 | 1 Redhat | 1 Ansible | 2024-08-06 | 7.5 High |
Ansible prior to 1.5.4 mishandles the evaluation of some strings. | ||||
CVE-2015-6240 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. | ||||
CVE-2015-3908 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||||
CVE-2016-9587 | 2 Ansible, Redhat | 7 Ansible, Ansible, Openshift and 4 more | 2024-08-06 | 8.1 High |
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. | ||||
CVE-2016-8614 | 1 Redhat | 1 Ansible | 2024-08-06 | N/A |
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. | ||||
CVE-2016-8628 | 1 Redhat | 2 Ansible, Openshift | 2024-08-06 | N/A |
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. | ||||
CVE-2016-3096 | 2 Fedoraproject, Redhat | 2 Fedora, Ansible | 2024-08-05 | N/A |
The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory. |