rpm package

opensuse/ansible&distro=openSUSE Leap 15.3

pkg:rpm/opensuse/ansible&distro=openSUSE%20Leap%2015.3

Vulnerabilities (34)

CVE	CVSS	Affected versions	Fixed in	Published	Description
CVE-2021-20180	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	Mar 16, 2022	A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
CVE-2021-3620	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	Mar 3, 2022	A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVE-2021-3583	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	Sep 22, 2021	A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special templ
CVE-2020-10729	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	May 27, 2021	A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha
CVE-2021-20191	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	May 26, 2021	A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulne
CVE-2021-20178	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	May 26, 2021	A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
CVE-2021-29622	—	< 2.9.21-1.5.1	2.9.21-1.5.1	May 19, 2021	Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL
CVE-2021-20228	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	Apr 29, 2021	A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from
CVE-2021-3447	—	< 2.9.27-150000.1.14.1	2.9.27-150000.1.14.1	Apr 1, 2021	A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_lo
CVE-2021-28148	—	< 2.9.21-1.5.1	2.9.21-1.5.1	Mar 22, 2021	One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a deni
CVE-2021-28147	—	< 2.9.21-1.5.1	2.9.21-1.5.1	Mar 22, 2021	The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows
CVE-2021-28146	—	< 2.9.21-1.5.1	2.9.21-1.5.1	Mar 22, 2021	The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to gra
CVE-2021-27962	—	< 2.9.21-1.5.1	2.9.21-1.5.1	Mar 22, 2021	Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
CVE-2020-14332	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	Sep 11, 2020	A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t
CVE-2020-14330	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	Sep 11, 2020	An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user
CVE-2019-14904	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	Aug 25, 2020	A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw
CVE-2020-1746	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	May 12, 2020	A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are use
CVE-2020-10685	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	May 11, 2020	A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble,
CVE-2020-10691	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	Apr 30, 2020	An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwr
CVE-2019-14905	—	< 2.9.21-bp153.2.3.1	2.9.21-bp153.2.3.1	Mar 31, 2020	A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parame

CVE-2021-20180Mar 16, 2022
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
CVE-2021-3620Mar 3, 2022
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
CVE-2021-3583Sep 22, 2021
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special templ
CVE-2020-10729May 27, 2021
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha
CVE-2021-20191May 26, 2021
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulne
CVE-2021-20178May 26, 2021
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
CVE-2021-29622May 19, 2021
affected < 2.9.21-1.5.1fixed 2.9.21-1.5.1
Prometheus is an open-source monitoring system and time series database. In 2.23.0, Prometheus changed its default UI to the New ui. To ensure a seamless transition, the URL's prefixed by /new redirect to /. Due to a bug in the code, it is possible for an attacker to craft an URL
CVE-2021-20228Apr 29, 2021
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from
CVE-2021-3447Apr 1, 2021
affected < 2.9.27-150000.1.14.1fixed 2.9.27-150000.1.14.1
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_lo
CVE-2021-28148Mar 22, 2021
affected < 2.9.21-1.5.1fixed 2.9.21-1.5.1
One of the usage insights HTTP API endpoints in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 is accessible without any authentication. This allows any unauthenticated user to send an unlimited number of requests to the endpoint, leading to a deni
CVE-2021-28147Mar 22, 2021
affected < 2.9.21-1.5.1fixed 2.9.21-1.5.1
The team sync HTTP API in Grafana Enterprise 6.x before 6.7.6, 7.x before 7.3.10, and 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service and having the EditorsCanAdmin feature enabled, this vulnerability allows
CVE-2021-28146Mar 22, 2021
affected < 2.9.21-1.5.1fixed 2.9.21-1.5.1
The team sync HTTP API in Grafana Enterprise 7.4.x before 7.4.5 has an Incorrect Access Control issue. On Grafana instances using an external authentication service, this vulnerability allows any authenticated user to add external groups to existing teams. This can be used to gra
CVE-2021-27962Mar 22, 2021
affected < 2.9.21-1.5.1fixed 2.9.21-1.5.1
Grafana Enterprise 7.2.x and 7.3.x before 7.3.10 and 7.4.x before 7.4.5 allows a dashboard editor to bypass a permission check concerning a data source they should not be able to access.
CVE-2020-14332Sep 11, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t
CVE-2020-14330Sep 11, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user
CVE-2019-14904Aug 25, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw
CVE-2020-1746May 12, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are use
CVE-2020-10685May 11, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble,
CVE-2020-10691Apr 30, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwr
CVE-2019-14905Mar 31, 2020
affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parame

Page 1 of 2