rpm package
suse/ansible&distro=SUSE Package Hub 15 SP3
pkg:rpm/suse/ansible&distro=SUSE%20Package%20Hub%2015%20SP3
Vulnerabilities (26)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2020-1737 | — | < 2.9.21-bp153.2.3.1 | 2.9.21-bp153.2.3.1 | Mar 9, 2020 | A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by cra | ||
| CVE-2020-1734 | — | < 2.9.21-bp153.2.3.1 | 2.9.21-bp153.2.3.1 | Mar 3, 2020 | A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitr | ||
| CVE-2019-14846 | — | < 2.9.21-bp153.2.3.1 | 2.9.21-bp153.2.3.1 | Oct 8, 2019 | In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not af | ||
| CVE-2019-10156 | — | < 2.9.21-bp153.2.3.1 | 2.9.21-bp153.2.3.1 | Jul 30, 2019 | A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any | ||
| CVE-2018-16837 | — | < 2.9.21-bp153.2.3.1 | 2.9.21-bp153.2.3.1 | Oct 23, 2018 | Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which h | ||
| CVE-2018-10875 | — | < 2.9.21-bp153.2.3.1 | 2.9.21-bp153.2.3.1 | Jul 13, 2018 | A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. |
- CVE-2020-1737Mar 9, 2020affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by cra
- CVE-2020-1734Mar 3, 2020affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not escaped by quote plugin. An attacker could take advantage and run arbitr
- CVE-2019-14846Oct 8, 2019affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not af
- CVE-2019-10156Jul 30, 2019affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any
- CVE-2018-16837Oct 23, 2018affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which h
- CVE-2018-10875Jul 13, 2018affected < 2.9.21-bp153.2.3.1fixed 2.9.21-bp153.2.3.1
A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.
Page 2 of 2