Lucene search

K

10 matches found

CVE
CVE
added 2018/07/19 1:29 p.m.350 views

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templat...

9.8CVSS9.3AI score0.03687EPSS
In wild
CVE
CVE
added 2019/10/08 7:15 p.m.246 views

CVE-2019-14846

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible module...

7.8CVSS7.3AI score0.00141EPSS
CVE
CVE
added 2020/03/09 4:15 p.m.234 views

CVE-2020-1737

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive an...

7.8CVSS7AI score0.00119EPSS
CVE
CVE
added 2018/11/29 6:29 p.m.222 views

CVE-2018-16859

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password....

4.4CVSS4.8AI score0.00099EPSS
CVE
CVE
added 2022/03/03 7:15 p.m.213 views

CVE-2021-3620

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.

5.5CVSS5.3AI score0.002EPSS
CVE
CVE
added 2020/03/16 3:15 p.m.183 views

CVE-2020-1753

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl f...

5.5CVSS5.9AI score0.00039EPSS
CVE
CVE
added 2021/09/22 12:15 p.m.166 views

CVE-2021-3583

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. Thi...

7.1CVSS6.8AI score0.00407EPSS
CVE
CVE
added 2020/09/11 6:15 p.m.147 views

CVE-2020-14330

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri mo...

5.5CVSS5.3AI score0.00123EPSS
CVE
CVE
added 2021/05/27 7:15 p.m.127 views

CVE-2020-10729

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are...

5.5CVSS5.4AI score0.00091EPSS
CVE
CVE
added 2018/07/26 2:29 p.m.85 views

CVE-2016-8647

An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed.

4.9CVSS5.8AI score0.00171EPSS