CVSS: 9.3EPSS: 1%CPEs: 3EXPL: 1CVE-2016-9587 – Ansible 2.1.4/2.2.1 - Command Execution
https://notcve.org/view.php?id=CVE-2016-9587
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible, en versiones anteriores a la 2.1.4 y la 2.2.1, es vulnerable a una validación de entradas incorrecta en la gestión de Ansible de datos enviados desde los sistemas de clientes. Un atacante que tenga el control de un sistema de cliente gestionado por Ansible y la capacidad de enviar hechos de vuelta al servidor de Ansible podría usar este error para ejecutar código arbitrario en el servidor de Ansible utilizando los privilegios del servidor de Ansible. An input validation vulnerability was found in Ansible's handling of data sent from client systems. • https://www.exploit-db.com/exploits/41013 http://rhn.redhat.com/errata/RHSA-2017-0195.html http://rhn.redhat.com/errata/RHSA-2017-0260.html http://www.securityfocus.com/bid/95352 https://access.redhat.com/errata/RHSA-2017:0448 https://access.redhat.com/errata/RHSA-2017:0515 https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587 https://security.gentoo.org/glsa/201701-77 https://access.redhat.com/security/cve/C • CWE-20: Improper Input Validation •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 5CVE-2015-1481 – Ansible Tower 2.0.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1481
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization administrators to gain privileges by creating a superuser account. Ansible Tower (también conocido como la UI de Ansible) anterior a 2.0.5 permite a administradores de organizaciones remotos ganar privilegios mediante la creación de una cuenta de superusuario. • https://www.exploit-db.com/exploits/35786 http://packetstormsecurity.com/files/129944/Ansible-Tower-2.0.2-XSS-Privilege-Escalation-Authentication-Missing.html http://seclists.org/fulldisclosure/2015/Jan/52 http://www.exploit-db.com/exploits/35786 http://www.securityfocus.com/archive/1/534464/100/0/threaded https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150113-1_Ansible-Tower_multiple-vulnerabilities_v10.txt • CWE-264: Permissions, Privileges, and Access Controls •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 5CVE-2015-1482 – Ansible Tower 2.0.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1482
Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/. Ansible Tower (también conocido como la UI de Ansible) anterior a 2.0.5 permite a atacantes remotos evadir la autenticación y obtener información sensible a través de una conexión de socket web en socket.io/1/. • https://www.exploit-db.com/exploits/35786 http://packetstormsecurity.com/files/129944/Ansible-Tower-2.0.2-XSS-Privilege-Escalation-Authentication-Missing.html http://seclists.org/fulldisclosure/2015/Jan/52 http://www.exploit-db.com/exploits/35786 http://www.securityfocus.com/archive/1/534464/100/0/threaded https://www.sec-consult.com/fxdata/seccons/prod/temedia/advisories_txt/20150113-1_Ansible-Tower_multiple-vulnerabilities_v10.txt • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 4CVE-2015-1368 – Ansible Tower 2.0.2 - Multiple Vulnerabilities
https://notcve.org/view.php?id=CVE-2015-1368
Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to inject arbitrary web script or HTML via the (1) order_by parameter to credentials/, (2) inventories/, (3) projects/, or (4) users/3/permissions/ in api/v1/ or the (5) next_run parameter to api/v1/schedules/. Múltiples vulnearbilidades de XSS en Ansible Tower (también conocido como Ansible UI) anterior a 2.0.5 permiten a atacantes remotos inyectar secuencias de comandos web o HTML arbitrarios a través (1) del parámetro order_by en credentials/, (2) inventories/, (3) projects/, o (4) users/3/permissions/ en api/v1/ o (5) del parámetro next_run en api/v1/schedules/. • https://www.exploit-db.com/exploits/35786 http://osvdb.org/show/osvdb/116961 http://osvdb.org/show/osvdb/116962 http://osvdb.org/show/osvdb/116963 http://osvdb.org/show/osvdb/116964 http://osvdb.org/show/osvdb/116965 http://packetstormsecurity.com/files/129944/Ansible-Tower-2.0.2-XSS-Privilege-Escalation-Authentication-Missing.html http://seclists.org/fulldisclosure/2015/Jan/52 http://www.exploit-db.com/exploits/35786 http://www.securityfocus.com/archive/1/534464/100&#x • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •