Ansible Tower@* Security Vulnerabilities and Issues — Ansible Tower@* CVE List

Lucene search

RedhatAnsible Tower*

9 matches found

CVE•added 2021/09/22 12:15 p.m.•159 views

CVE-2021-3583

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special template characters. Thi...

7.1CVSS6.8AI score0.00388EPSS

CVE•added 2021/04/01 6:15 p.m.•153 views

CVE-2021-3447

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attac...

5.5CVSS5.2AI score0.00055EPSS

CVE•added 2021/03/09 6:15 p.m.•85 views

CVE-2021-20253

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. The highest threat from this vulnerability is to data confidentiality and...

6.7CVSS6.3AI score0.00278EPSS

CVE•added 2021/05/27 7:15 p.m.•74 views

CVE-2020-10698

A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed. However, critical data should not be disclosed, as it should be protected by the no_log flag when ...

3.3CVSS3.9AI score0.00041EPSS

CVE•added 2021/05/27 7:15 p.m.•70 views

CVE-2020-10697

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a denial of service attack. This attack would not completely stop the service, but in the worst-case scenar...

4.4CVSS4.5AI score0.00127EPSS

CVE•added 2021/05/27 8:15 p.m.•70 views

CVE-2020-14327

A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of addit...

5.5CVSS5.4AI score0.00039EPSS

CVE•added 2021/05/27 8:15 p.m.•64 views

CVE-2020-14329

A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint. This flaw allows users from other organizations in the system to retrieve any label from the organization and also disclose organization names. The highes...

3.3CVSS3.8AI score0.00041EPSS

CVE•added 2021/05/27 7:15 p.m.•59 views

CVE-2020-10709

A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a refresh token that does not expire. The original token granted to the user still has access to Ansi...

7.1CVSS6.7AI score0.00094EPSS

CVE•added 2021/05/27 8:15 p.m.•56 views

CVE-2020-14328

A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal services or exposing additional internal services and more particularly retrieving full details in case...

3.3CVSS4AI score0.00035EPSS