Filtered by vendor Redhat Subscriptions
Filtered by product Ansible Engine Subscriptions
Total 42 CVE
CVE Vendors Products Updated CVSS v3.1
CVE-2021-3620 1 Redhat 12 Ansible Automation Platform, Ansible Automation Platform Early Access, Ansible Engine and 9 more 2024-10-15 5.5 Medium
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVE-2016-8647 1 Redhat 3 Ansible Engine, Rhev Manager, Virtualization 2024-08-06 4.9 Medium
An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.
CVE-2017-7481 3 Canonical, Debian, Redhat 14 Ubuntu Linux, Debian Linux, Ansible Engine and 11 more 2024-08-05 9.8 Critical
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated.
CVE-2018-16859 1 Redhat 1 Ansible Engine 2024-08-05 N/A
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.
CVE-2018-16876 4 Canonical, Debian, Redhat and 1 more 10 Ubuntu Linux, Debian Linux, Ansible and 7 more 2024-08-05 5.3 Medium
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.
CVE-2018-16837 3 Debian, Redhat, Suse 6 Debian Linux, Ansible Engine, Ansible Tower and 3 more 2024-08-05 N/A
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.
CVE-2018-10875 4 Canonical, Debian, Redhat and 1 more 12 Ubuntu Linux, Debian Linux, Ansible Engine and 9 more 2024-08-05 7.8 High
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
CVE-2018-10855 3 Canonical, Debian, Redhat 8 Ubuntu Linux, Debian Linux, Ansible Engine and 5 more 2024-08-05 5.9 Medium
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
CVE-2018-10874 1 Redhat 5 Ansible Engine, Enterprise Linux, Openstack and 2 more 2024-08-05 N/A
In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
CVE-2018-7750 3 Debian, Paramiko, Redhat 18 Debian Linux, Paramiko, Ansible Engine and 15 more 2024-08-05 9.8 Critical
transport.py in the SSH server implementation of Paramiko before 1.17.6, 1.18.x before 1.18.5, 2.0.x before 2.0.8, 2.1.x before 2.1.5, 2.2.x before 2.2.3, 2.3.x before 2.3.2, and 2.4.x before 2.4.1 does not properly check whether authentication is completed before processing other requests, as demonstrated by channel-open. A customized SSH client can simply skip the authentication step.
CVE-2019-14905 3 Fedoraproject, Opensuse, Redhat 8 Fedora, Backports Sle, Leap and 5 more 2024-08-05 5.6 Medium
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
CVE-2019-14904 2 Debian, Redhat 3 Debian Linux, Ansible, Ansible Engine 2024-08-05 7.3 High
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.
CVE-2019-14846 3 Debian, Opensuse, Redhat 6 Debian Linux, Backports Sle, Leap and 3 more 2024-08-05 7.8 High
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.
CVE-2019-14856 2 Opensuse, Redhat 5 Backports Sle, Leap, Ansible and 2 more 2024-08-05 6.5 Medium
ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
CVE-2019-14864 3 Debian, Opensuse, Redhat 9 Debian Linux, Backports Sle, Leap and 6 more 2024-08-05 6.5 Medium
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.
CVE-2019-14858 1 Redhat 3 Ansible Engine, Ansible Tower, Openstack 2024-08-05 5.5 Medium
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
CVE-2019-10206 3 Debian, Opensuse, Redhat 6 Debian Linux, Backports Sle, Leap and 3 more 2024-08-04 6.5 Medium
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVE-2019-10217 1 Redhat 2 Ansible, Ansible Engine 2024-08-04 6.5 Medium
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
CVE-2019-10156 2 Debian, Redhat 4 Debian Linux, Ansible, Ansible Engine and 1 more 2024-08-04 5.4 Medium
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
CVE-2019-3828 1 Redhat 3 Ansible, Ansible Engine, Openstack 2024-08-04 4.2 Medium
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.