CVE-2021-20178 – ansible: user data leak in snmp_facts module
https://notcve.org/view.php?id=CVE-2021-20178
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en el módulo ansible donde las credenciales son reveladas en el registro de la consola por defecto y no están protegidas por la característica de seguridad cuando se usa el módulo bitbucket_pipeline_variable. Este fallo permite a un atacante robar las credenciales del módulo bitbucket_pipeline. • https://bugzilla.redhat.com/show_bug.cgi?id=1914774 https://github.com/ansible-collections/community.general/pull/1635%2C https://github.com/ansible/ansible/blob/v2.9.18/changelogs/CHANGELOG-v2.9.rst#security-fixes%2C https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FUQ2QKAQA5OW2TY3ACZZMFIAJ2EQTG37 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIU7QZUV73U6ZQ6 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20191 – ansible: multiple modules expose secured values
https://notcve.org/view.php?id=CVE-2021-20191
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. • https://bugzilla.redhat.com/show_bug.cgi?id=1916813 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://access.redhat.com/security/cve/CVE-2021-20191 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20180 – module: bitbucket_pipeline_variable exposes secured values
https://notcve.org/view.php?id=CVE-2021-20180
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en el módulo de ansible en el que las credenciales son divulgadas en el registro de la consola por defecto y no están protegidas por la función de seguridad cuando es usado el módulo bitbucket_pipeline_variable. Este fallo permite a un atacante robar las credenciales de bitbucket_pipeline. • https://bugzilla.redhat.com/show_bug.cgi?id=1915808 https://access.redhat.com/security/cve/CVE-2021-20180 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-2310
https://notcve.org/view.php?id=CVE-2020-2310
Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. Una falta de comprobación de permisos en Jenkins Ansible Plugin versiones 1.0 y anteriores, permiten a atacantes con permiso Overall/Read enumerar los ID de credenciales almacenadas en Jenkins • https://www.jenkins.io/security/advisory/2020-11-04/#SECURITY-1943 •
CVE-2020-1738
https://notcve.org/view.php?id=CVE-2020-1738
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en Ansible Engine, cuando el paquete o servicio del módulo es usado y el parámetro "use" no es especificado. Si una tarea anterior es ejecutada con un usuario malicioso, el módulo enviado puede ser seleccionado por parte del atacante usando el archivo de datos de ansible. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738 https://github.com/ansible/ansible/issues/67796 https://security.gentoo.org/glsa/202006-11 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •