rpm package
suse/ansible&distro=SUSE Package Hub 15 SP1
pkg:rpm/suse/ansible&distro=SUSE%20Package%20Hub%2015%20SP1
Vulnerabilities (12)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2019-14904 | Hig | 7.3 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Aug 26, 2020 | A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw | |
| CVE-2019-14905 | Med | 5.6 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Mar 31, 2020 | A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parame | |
| CVE-2019-14864 | Med | 6.5 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Jan 2, 2020 | Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any s | |
| CVE-2019-14856 | Med | 6.5 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Nov 26, 2019 | ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None | |
| CVE-2019-10217 | Med | 6.5 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Nov 25, 2019 | A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. An | |
| CVE-2019-10206 | Med | 6.5 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Nov 22, 2019 | ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger an | |
| CVE-2019-14858 | Med | 5.5 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Oct 14, 2019 | A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub par | |
| CVE-2019-14846 | Hig | 7.8 | < 2.9.6-bp151.3.6.1 | 2.9.6-bp151.3.6.1 | Oct 8, 2019 | In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not af | |
| CVE-2019-3828 | Med | 4.2 | < 2.8.1-bp151.3.3.1 | 2.8.1-bp151.3.3.1 | Mar 27, 2019 | Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path. | |
| CVE-2018-16876 | Med | 5.3 | < 2.8.1-bp151.3.3.1 | 2.8.1-bp151.3.3.1 | Jan 3, 2019 | ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data. | |
| CVE-2018-16859 | Med | 4.2 | < 2.8.1-bp151.3.3.1 | 2.8.1-bp151.3.3.1 | Nov 29, 2018 | Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the | |
| CVE-2018-16837 | Hig | 7.8 | < 2.8.1-bp151.3.3.1 | 2.8.1-bp151.3.3.1 | Oct 23, 2018 | Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which h |
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parame
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any s
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. An
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger an
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub par
- affected < 2.9.6-bp151.3.6.1fixed 2.9.6-bp151.3.6.1
In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not af
- affected < 2.8.1-bp151.3.3.1fixed 2.8.1-bp151.3.3.1
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
- affected < 2.8.1-bp151.3.3.1fixed 2.8.1-bp151.3.3.1
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.
- affected < 2.8.1-bp151.3.3.1fixed 2.8.1-bp151.3.3.1
Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the
- affected < 2.8.1-bp151.3.3.1fixed 2.8.1-bp151.3.3.1
Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which h