rpm package
suse/ansible&distro=SUSE OpenStack Cloud 8
pkg:rpm/suse/ansible&distro=SUSE%20OpenStack%20Cloud%208
Vulnerabilities (84)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2021-20180 | — | < 2.9.22-3.18.1 | 2.9.22-3.18.1 | Mar 16, 2022 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f | ||
| CVE-2021-3620 | — | < 2.9.27-3.21.1 | 2.9.27-3.21.1 | Mar 3, 2022 | A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality. | ||
| CVE-2021-3583 | — | < 2.9.27-3.21.1 | 2.9.27-3.21.1 | Sep 22, 2021 | A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special templ | ||
| CVE-2020-10743 | — | < 2.4.6.0-3.9.1 | 2.4.6.0-3.9.1 | Jun 2, 2021 | It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana, | ||
| CVE-2020-10729 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | May 27, 2021 | A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha | ||
| CVE-2021-20191 | — | < 2.9.22-3.18.1 | 2.9.22-3.18.1 | May 26, 2021 | A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulne | ||
| CVE-2021-20178 | — | < 2.9.22-3.18.1 | 2.9.22-3.18.1 | May 26, 2021 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f | ||
| CVE-2021-20228 | — | < 2.9.22-3.18.1 | 2.9.22-3.18.1 | Apr 29, 2021 | A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from | ||
| CVE-2021-3447 | — | < 2.9.22-3.18.1 | 2.9.22-3.18.1 | Apr 1, 2021 | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_lo | ||
| CVE-2020-26137 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Sep 29, 2020 | urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116. | ||
| CVE-2020-14365 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Sep 23, 2020 | A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be | ||
| CVE-2020-14332 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Sep 11, 2020 | A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t | ||
| CVE-2020-14330 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Sep 11, 2020 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user | ||
| CVE-2020-25032 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Aug 31, 2020 | An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format. | ||
| CVE-2020-17376 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Aug 26, 2020 | An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar | ||
| CVE-2019-14904 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Aug 25, 2020 | A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw | ||
| CVE-2020-11110 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Jul 27, 2020 | Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot. | ||
| CVE-2020-10177 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Jun 25, 2020 | Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c. | ||
| CVE-2020-10994 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Jun 25, 2020 | In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file. | ||
| CVE-2020-10378 | — | < 2.9.14-3.15.1 | 2.9.14-3.15.1 | Jun 25, 2020 | In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer. |
- CVE-2021-20180Mar 16, 2022affected < 2.9.22-3.18.1fixed 2.9.22-3.18.1
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
- CVE-2021-3620Mar 3, 2022affected < 2.9.27-3.21.1fixed 2.9.27-3.21.1
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
- CVE-2021-3583Sep 22, 2021affected < 2.9.27-3.21.1fixed 2.9.27-3.21.1
A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handled do not routinely include special templ
- CVE-2020-10743Jun 2, 2021affected < 2.4.6.0-3.9.1fixed 2.4.6.0-3.9.1
It was discovered that OpenShift Container Platform's (OCP) distribution of Kibana could open in an iframe, which made it possible to intercept and manipulate requests. This flaw allows an attacker to trick a user into performing arbitrary actions in OCP's distribution of Kibana,
- CVE-2020-10729May 27, 2021affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be tha
- CVE-2021-20191May 26, 2021affected < 2.9.22-3.18.1fixed 2.9.22-3.18.1
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulne
- CVE-2021-20178May 26, 2021affected < 2.9.22-3.18.1fixed 2.9.22-3.18.1
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat f
- CVE-2021-20228Apr 29, 2021affected < 2.9.22-3.18.1fixed 2.9.22-3.18.1
A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensitive information. The highest threat from
- CVE-2021-3447Apr 1, 2021affected < 2.9.22-3.18.1fixed 2.9.22-3.18.1
A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_lo
- CVE-2020-26137Sep 29, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
- CVE-2020-14365Sep 23, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default be
- CVE-2020-14332Sep 11, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is t
- CVE-2020-14330Sep 11, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other user
- CVE-2020-25032Aug 31, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
An issue was discovered in Flask-CORS (aka CORS Middleware for Flask) before 3.0.9. It allows ../ directory traversal to access private resources because resource matching does not ensure that pathnames are in a canonical format.
- CVE-2020-17376Aug 26, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
An issue was discovered in Guest.migrate in virt/libvirt/guest.py in OpenStack Nova before 19.3.1, 20.x before 20.3.1, and 21.0.0. By performing a soft reboot of an instance that has previously undergone live migration, a user may gain access to destination host devices that shar
- CVE-2019-14904Aug 25, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw
- CVE-2020-11110Jul 27, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
Grafana through 6.7.1 allows stored XSS due to insufficient input protection in the originalUrl field, which allows an attacker to inject JavaScript code that will be executed after clicking on Open Original Dashboard after visiting the snapshot.
- CVE-2020-10177Jun 25, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
Pillow before 7.1.0 has multiple out-of-bounds reads in libImaging/FliDecode.c.
- CVE-2020-10994Jun 25, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
In libImaging/Jpeg2KDecode.c in Pillow before 7.1.0, there are multiple out-of-bounds reads via a crafted JP2 file.
- CVE-2020-10378Jun 25, 2020affected < 2.9.14-3.15.1fixed 2.9.14-3.15.1
In libImaging/PcxDecode.c in Pillow before 7.1.0, an out-of-bounds read can occur when reading PCX files where state->shuffle is instructed to read beyond state->buffer.
Page 1 of 5