PyPI package
ansible
pkg:pypi/ansible
Vulnerabilities (66)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-3498 | Hig | 8.8 | < 1.6.6 | 1.6.6 | Jun 8, 2017 | The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. | |
| CVE-2015-6240 | Hig | 7.8 | < 1.9.2 | 1.9.2 | Jun 7, 2017 | The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. | |
| CVE-2016-3096 | Hig | 7.8 | >= 2.0.0.0, < 2.0.2.0 | 2.0.2.0 | Jun 3, 2016 | The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, | |
| CVE-2015-3908 | — | < 1.9.2 | 1.9.2 | Aug 12, 2015 | Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. | ||
| CVE-2013-4260 | — | >= 1.2, < 1.2.3 | 1.2.3 | Sep 16, 2013 | lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/. | ||
| CVE-2013-4259 | — | < 1.2.3 | 1.2.3 | Sep 16, 2013 | runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/. |
- affected < 1.6.6fixed 1.6.6
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.
- affected < 1.9.2fixed 1.9.2
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
- affected >= 2.0.0.0, < 2.0.2.0fixed 2.0.2.0
The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory,
- CVE-2015-3908Aug 12, 2015affected < 1.9.2fixed 1.9.2
Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
- CVE-2013-4260Sep 16, 2013affected >= 1.2, < 1.2.3fixed 1.2.3
lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite arbitrary files via a symlink attack on a retry file with a predictable name in /var/tmp/ansible/.
- CVE-2013-4259Sep 16, 2013affected < 1.2.3fixed 1.2.3
runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.
Page 4 of 4