Ansible Tower Security Vulnerabilities and Issues — Ansible Tower CVE List

Lucene search

RedhatAnsible Tower

14 matches found

CVE•added 2020/03/11 7:15 p.m.•211 views

CVE-2020-1733

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 7...

5CVSS5.8AI score0.00036EPSS

CVE•added 2020/05/12 6:15 p.m.•210 views

CVE-2020-1746

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue disclo...

5CVSS5.6AI score0.00059EPSS

CVE•added 2021/05/26 9:15 p.m.•190 views

CVE-2021-20191

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data...

5.5CVSS5.9AI score0.00026EPSS

CVE•added 2018/05/10 3:29 p.m.•174 views

CVE-2017-18267

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of service (infinite recursion) via a crafted PDF file, as demonstrated by pdftops.

5.5CVSS5.7AI score0.00451EPSS

CVE•added 2020/05/11 2:15 p.m.•174 views

CVE-2020-10685

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive,...

5.5CVSS5.8AI score0.00128EPSS

CVE•added 2021/05/26 12:15 p.m.•170 views

CVE-2021-20178

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerabil...

5.5CVSS6AI score0.00031EPSS

CVE•added 2020/03/16 3:15 p.m.•167 views

CVE-2020-1753

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl f...

5.5CVSS5.9AI score0.00039EPSS

CVE•added 2019/12/19 9:15 p.m.•156 views

CVE-2019-19342

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket error in RabbitMQ when parsing the password and an HTTP error code 500 and partial password disclose wil...

5.3CVSS5.5AI score0.00338EPSS

CVE•added 2020/04/30 5:15 p.m.•156 views

CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within...

5.2CVSS5AI score0.00098EPSS

CVE•added 2021/04/01 6:15 p.m.•153 views

CVE-2021-3447

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attac...

5.5CVSS5.2AI score0.00055EPSS

CVE•added 2019/12/19 9:15 p.m.•149 views

CVE-2019-19341

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credenti...

5.9CVSS5.5AI score0.00103EPSS

CVE•added 2020/05/15 2:15 p.m.•136 views

CVE-2020-10744

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9...

5CVSS5.8AI score0.00038EPSS

CVE•added 2021/05/27 8:15 p.m.•70 views

CVE-2020-14327

A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of addit...

5.5CVSS5.4AI score0.00039EPSS

CVE•added 2020/07/31 1:15 p.m.•53 views

CVE-2020-14337

A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data conf...

5.8CVSS5.6AI score0.01639EPSS