rpm package
opensuse/ansible&distro=openSUSE Tumbleweed
pkg:rpm/opensuse/ansible&distro=openSUSE%20Tumbleweed
Vulnerabilities (4)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2014-4967 | — | < 2.2.0.0-1.1 | 2.2.0.0-1.1 | Feb 18, 2020 | Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp=" | ||
| CVE-2014-4966 | — | < 2.2.0.0-1.1 | 2.2.0.0-1.1 | Feb 18, 2020 | Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data. | ||
| CVE-2016-3096 | Hig | 7.8 | < 2.2.0.0-1.1 | 2.2.0.0-1.1 | Jun 3, 2016 | The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, | |
| CVE-2015-3908 | — | < 2.2.0.0-1.1 | 2.2.0.0-1.1 | Aug 12, 2015 | Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. |
- CVE-2014-4967Feb 18, 2020affected < 2.2.0.0-1.1fixed 2.2.0.0-1.1
Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as demonstrated by a fact with (1) a trailing " src=" clause, (2) a trailing " temp="
- CVE-2014-4966Feb 18, 2020affected < 2.2.0.0-1.1fixed 2.2.0.0-1.1
Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code via (1) crafted lookup('pipe') calls or (2) crafted Jinja2 data.
- affected < 2.2.0.0-1.1fixed 2.2.0.0-1.1
The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory,
- CVE-2015-3908Aug 12, 2015affected < 2.2.0.0-1.1fixed 2.2.0.0-1.1
Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.