CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-2310
https://notcve.org/view.php?id=CVE-2020-2310
04 Nov 2020 — Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una falta de comprobación de permisos en Jenkins Ansible Plugin versiones 1.0 y anteriores, permiten a atacantes con permiso Overall/Read enumerar los ID de credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1943 •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25635
https://notcve.org/view.php?id=CVE-2020-25635
05 Oct 2020 — A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. Se encontró un fallo en Ansible Base al usar el plugin de conexión aws_ssm, ya que la recolección de basura no está pasando después de que el playbook se haya completado. Los archivos permanecerían en el bucket exponiendo los datos. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25636
https://notcve.org/view.php?id=CVE-2020-25636
05 Oct 2020 — A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. Se encontró un fallo en Ansible Base cuando se usa el plugin de conexión aws_ssm, ya que no posee una separación de espacios de nombres para las transferencias de archivos. Los archivos se escriben directame... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636 • CWE-377: Insecure Temporary File CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10744
https://notcve.org/view.php?id=CVE-2020-10744
15 May 2020 — An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected. Se ha encontrado una corrección incompleta para la corrección del fallo de ansible CVE... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-377: Insecure Temporary File •
CVSS: 7.9EPSS: 0%CPEs: 12EXPL: 0CVE-2020-10684 – Ansible: code injection when using ansible_facts as a subkey
https://notcve.org/view.php?id=CVE-2020-10684
24 Mar 2020 — A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection. Se descubrió un fallo en Ansible Engine, todas las version... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-862: Missing Authorization •
CVSS: 3.9EPSS: 0%CPEs: 9EXPL: 0CVE-2020-1738 – Gentoo Linux Security Advisory 202006-11
https://notcve.org/view.php?id=CVE-2020-1738
16 Mar 2020 — A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en Ansible Engine, cuando el paquete o servicio del módulo es usado y el parámetro "use" no es especificado. Si una tarea anterior es ejecutada con un usuario ma... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVSS: 4.7EPSS: 0%CPEs: 14EXPL: 0CVE-2020-1740 – ansible: secrets readable after ansible-vault edit
https://notcve.org/view.php?id=CVE-2020-1740
16 Mar 2020 — A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerabl... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-377: Insecure Temporary File •
CVSS: 4.6EPSS: 0%CPEs: 13EXPL: 1CVE-2020-1735 – ansible: path injection on dest parameter in fetch module
https://notcve.org/view.php?id=CVE-2020-1735
16 Mar 2020 — A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en el Ansible Engine cuando es usado el módulo de búsqueda. Un atacante podría interceptar el módulo, inyectar una nueva ruta y luego elegir una nueva ruta destino en el nodo del controlador. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 3.3EPSS: 0%CPEs: 12EXPL: 1CVE-2020-1736 – ansible: atomic_move primitive sets permissive permissions
https://notcve.org/view.php?id=CVE-2020-1736
16 Mar 2020 — A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en Ansible Engine, cuando un archivo es movido u... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 3.9EPSS: 0%CPEs: 14EXPL: 0CVE-2020-1739 – ansible: svn module leaks password when specified as a parameter
https://notcve.org/view.php?id=CVE-2020-1739
12 Mar 2020 — A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. Se detectó un fallo en Ansible versiones 2.7.16 y anteriores, versiones 2.8.8 y anteriores y versiones 2.9.5 y anteriores, cuando es establecida una contraseña con el argumento "pas... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •