CVSS: 3.3EPSS: 0%CPEs: 12EXPL: 1CVE-2020-1736 – ansible: atomic_move primitive sets permissive permissions
https://notcve.org/view.php?id=CVE-2020-1736
16 Mar 2020 — A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en Ansible Engine, cuando un archivo es movido u... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1736 • CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 3.9EPSS: 0%CPEs: 14EXPL: 0CVE-2020-1739 – ansible: svn module leaks password when specified as a parameter
https://notcve.org/view.php?id=CVE-2020-1739
12 Mar 2020 — A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs. Se detectó un fallo en Ansible versiones 2.7.16 y anteriores, versiones 2.8.8 y anteriores y versiones 2.9.5 y anteriores, cuando es establecida una contraseña con el argumento "pas... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1739 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 1CVE-2020-1733 – ansible: insecure temporary directory when running become_user from become directive
https://notcve.org/view.php?id=CVE-2020-1733
11 Mar 2020 — A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2019-14904 – Ansible: vulnerability in solaris_zone module via crafted solaris zone
https://notcve.org/view.php?id=CVE-2019-14904
23 Jan 2020 — A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected. Se encontró un fallo en el módulo solaris_zone de los módulos d... • https://bugzilla.redhat.com/show_bug.cgi?id=1776944 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10156 – ansible: unsafe template evaluation of returned module data can lead to information disclosure
https://notcve.org/view.php?id=CVE-2019-10156
09 Jul 2019 — A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. Se detectó un fallo en la manera en que fueron implementadas las plantillas de Ansible en versiones anteriores a 2.6.18, 2.7.12 y 2.8.2, causando la posibilidad de revelación de información mediante la sus... • https://access.redhat.com/errata/RHSA-2019:3744 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7550 – ansible: jenkins_plugin module exposes passwords in remote host logs
https://notcve.org/view.php?id=CVE-2017-7550
19 Oct 2017 — A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. Se encontró un fallo en la manera en la que Ansible (en versiones 2.3.x anteriores a la 2.3.3 y versiones 2.4.x anteriores a la 2.4.1) pasaba algu... • https://access.redhat.com/errata/RHSA-2017:2966 • CWE-532: Insertion of Sensitive Information into Log File •