Lucene search

K

23 matches found

CVE
CVE
added 2020/08/26 3:15 a.m.274 views

CVE-2019-14904

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the nam...

7.3CVSS7.3AI score0.0004EPSS
CVE
CVE
added 2024/02/06 12:15 p.m.228 views

CVE-2024-0690

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as dec...

5.5CVSS5AI score0.00059EPSS
CVE
CVE
added 2022/03/16 3:15 p.m.206 views

CVE-2021-20180

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerabil...

5.5CVSS6AI score0.00055EPSS
CVE
CVE
added 2020/03/16 4:15 p.m.199 views

CVE-2020-1735

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

4.6CVSS5.2AI score0.00143EPSS
CVE
CVE
added 2020/03/16 4:15 p.m.197 views

CVE-2020-1740

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the...

4.7CVSS5.2AI score0.00036EPSS
CVE
CVE
added 2021/05/26 9:15 p.m.197 views

CVE-2021-20191

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data...

5.5CVSS5.9AI score0.00026EPSS
CVE
CVE
added 2019/07/30 11:15 p.m.195 views

CVE-2019-10156

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be dis...

5.5CVSS5.7AI score0.0063EPSS
CVE
CVE
added 2021/05/26 12:15 p.m.177 views

CVE-2021-20178

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerabil...

5.5CVSS6AI score0.00031EPSS
CVE
CVE
added 2021/04/01 6:15 p.m.162 views

CVE-2021-3447

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attac...

5.5CVSS5.2AI score0.00055EPSS
CVE
CVE
added 2018/06/22 1:29 p.m.147 views

CVE-2017-7466

Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the A...

8.5CVSS8AI score0.02883EPSS
CVE
CVE
added 2018/04/24 4:29 p.m.144 views

CVE-2016-9587

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute a...

9.3CVSS8AI score0.03985EPSS
CVE
CVE
added 2023/12/12 10:15 p.m.141 views

CVE-2023-5764

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.

7.8CVSS7.1AI score0.00071EPSS
CVE
CVE
added 2020/02/20 3:15 a.m.107 views

CVE-2014-4678

The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.

9.8CVSS9.7AI score0.04731EPSS
CVE
CVE
added 2020/02/20 3:15 a.m.86 views

CVE-2014-4660

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@serv...

5.5CVSS5.1AI score0.00119EPSS
CVE
CVE
added 2018/07/31 9:29 p.m.85 views

CVE-2016-8614

A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.

7.5CVSS7.3AI score0.00079EPSS
CVE
CVE
added 2018/07/31 8:29 p.m.82 views

CVE-2016-8628

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

9.1CVSS9.2AI score0.005EPSS
CVE
CVE
added 2018/05/04 8:29 p.m.67 views

CVE-2013-2233

Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.

7.4CVSS7.2AI score0.00369EPSS
CVE
CVE
added 2020/02/18 3:15 p.m.59 views

CVE-2014-4967

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a t...

9.8CVSS9.7AI score0.04747EPSS
CVE
CVE
added 2020/02/20 3:15 p.m.58 views

CVE-2014-4657

The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

9.8CVSS9.6AI score0.02239EPSS
CVE
CVE
added 2020/02/20 3:15 p.m.55 views

CVE-2014-4658

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

5.5CVSS5AI score0.00119EPSS
CVE
CVE
added 2020/01/09 1:15 p.m.54 views

CVE-2014-2686

Ansible prior to 1.5.4 mishandles the evaluation of some strings.

7.5CVSS7.4AI score0.00376EPSS
CVE
CVE
added 2020/02/18 3:15 p.m.53 views

CVE-2014-4966

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

9.8CVSS9.6AI score0.04747EPSS
CVE
CVE
added 2020/02/20 3:15 p.m.46 views

CVE-2014-4659

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

5.5CVSS5AI score0.00081EPSS
Web