Redhat: >> Ansible Security Vulnerabilities
A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.
CVSS Score
4.6
EPSS Score
0.006
Published
2019-07-30
Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files outside of the specified destination in the local ansible controller host, by not restricting an absolute path.
CVSS Score
4.2
EPSS Score
0.0
Published
2019-03-27
ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.
CVSS Score
3.1
EPSS Score
0.01
Published
2019-01-03
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key.
CVSS Score
6.3
EPSS Score
0.001
Published
2018-07-31
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.
CVSS Score
7.6
EPSS Score
0.005
Published
2018-07-31
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
CVSS Score
8.0
EPSS Score
0.025
Published
2018-06-22
Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.
CVSS Score
7.4
EPSS Score
0.004
Published
2018-05-04
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.
CVSS Score
6.6
EPSS Score
0.039
Published
2018-04-24
A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation.
CVSS Score
9.8
EPSS Score
0.005
Published
2017-11-21
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.
CVSS Score
8.8
EPSS Score
0.005
Published
2017-06-08