Lucene search

K
RedhatAnsible

20 matches found

CVE
CVE
added 2019/01/03 3:29 p.m.256 views

CVE-2018-16876

ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.

5.3CVSS5AI score0.01032EPSS
CVE
CVE
added 2018/07/03 1:29 a.m.248 views

CVE-2018-10855

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on th...

5.9CVSS5.7AI score0.02523EPSS
CVE
CVE
added 2024/02/06 12:15 p.m.219 views

CVE-2024-0690

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as dec...

5.5CVSS5AI score0.00054EPSS
CVE
CVE
added 2020/03/11 7:15 p.m.211 views

CVE-2020-1733

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 7...

5CVSS5.8AI score0.00036EPSS
CVE
CVE
added 2020/05/12 6:15 p.m.210 views

CVE-2020-1746

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue disclo...

5CVSS5.6AI score0.00059EPSS
CVE
CVE
added 2022/03/16 3:15 p.m.201 views

CVE-2021-20180

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerabil...

5.5CVSS6AI score0.00044EPSS
CVE
CVE
added 2021/05/26 9:15 p.m.190 views

CVE-2021-20191

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data...

5.5CVSS5.9AI score0.00026EPSS
CVE
CVE
added 2019/07/30 11:15 p.m.189 views

CVE-2019-10156

A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be dis...

5.5CVSS5.7AI score0.00524EPSS
CVE
CVE
added 2020/05/11 2:15 p.m.174 views

CVE-2020-10685

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive,...

5.5CVSS5.8AI score0.00128EPSS
CVE
CVE
added 2021/05/26 12:15 p.m.170 views

CVE-2021-20178

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerabil...

5.5CVSS6AI score0.00031EPSS
CVE
CVE
added 2020/03/16 3:15 p.m.167 views

CVE-2020-1753

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl f...

5.5CVSS5.9AI score0.00039EPSS
CVE
CVE
added 2020/09/11 6:15 p.m.159 views

CVE-2020-14332

A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

5.5CVSS5.1AI score0.00137EPSS
CVE
CVE
added 2020/04/30 5:15 p.m.156 views

CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within...

5.2CVSS5AI score0.00098EPSS
CVE
CVE
added 2021/04/01 6:15 p.m.153 views

CVE-2021-3447

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attac...

5.5CVSS5.2AI score0.00055EPSS
CVE
CVE
added 2020/09/11 6:15 p.m.142 views

CVE-2020-14330

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri mo...

5.5CVSS5.3AI score0.00123EPSS
CVE
CVE
added 2020/05/15 2:15 p.m.136 views

CVE-2020-10744

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9...

5CVSS5.8AI score0.00038EPSS
CVE
CVE
added 2020/02/20 3:15 a.m.85 views

CVE-2014-4660

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@serv...

5.5CVSS5.1AI score0.00119EPSS
CVE
CVE
added 2020/10/05 2:15 p.m.57 views

CVE-2020-25635

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality.

5.5CVSS5.5AI score0.00136EPSS
CVE
CVE
added 2020/02/20 3:15 p.m.54 views

CVE-2014-4658

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

5.5CVSS5AI score0.00119EPSS
CVE
CVE
added 2020/02/20 3:15 p.m.45 views

CVE-2014-4659

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format.

5.5CVSS5AI score0.00081EPSS