Ansible Security Vulnerabilities and Issues — Ansible CVE List

Lucene search

RedhatAnsible

8 matches found

CVE•added 2018/07/19 1:29 p.m.•317 views

CVE-2017-7481

Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templat...

9.8CVSS9.3AI score0.03687EPSS

CVE•added 2018/04/24 4:29 p.m.•136 views

CVE-2016-9587

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute a...

9.3CVSS8AI score0.03862EPSS

CVE•added 2020/02/20 3:15 a.m.•105 views

CVE-2014-4678

The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-4657.

9.8CVSS9.7AI score0.04731EPSS

CVE•added 2017/11/21 5:29 p.m.•80 views

CVE-2017-7550

A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in t...

9.8CVSS8.9AI score0.00461EPSS

CVE•added 2018/07/31 8:29 p.m.•77 views

CVE-2016-8628

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

9.1CVSS9.2AI score0.00512EPSS

CVE•added 2020/02/20 3:15 p.m.•57 views

CVE-2014-4657

The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

9.8CVSS9.6AI score0.02239EPSS

CVE•added 2020/02/18 3:15 p.m.•56 views

CVE-2014-4967

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" clause, or (3) a t...

9.8CVSS9.7AI score0.04747EPSS

CVE•added 2020/02/18 3:15 p.m.•52 views

CVE-2014-4966

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.

9.8CVSS9.6AI score0.04747EPSS