CVE-2021-20191 – ansible: multiple modules expose secured values
https://notcve.org/view.php?id=CVE-2021-20191
A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. • https://bugzilla.redhat.com/show_bug.cgi?id=1916813 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://access.redhat.com/security/cve/CVE-2021-20191 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2021-20180 – module: bitbucket_pipeline_variable exposes secured values
https://notcve.org/view.php?id=CVE-2021-20180
A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en el módulo de ansible en el que las credenciales son divulgadas en el registro de la consola por defecto y no están protegidas por la función de seguridad cuando es usado el módulo bitbucket_pipeline_variable. Este fallo permite a un atacante robar las credenciales de bitbucket_pipeline. • https://bugzilla.redhat.com/show_bug.cgi?id=1915808 https://access.redhat.com/security/cve/CVE-2021-20180 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-1738
https://notcve.org/view.php?id=CVE-2020-1738
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en Ansible Engine, cuando el paquete o servicio del módulo es usado y el parámetro "use" no es especificado. Si una tarea anterior es ejecutada con un usuario malicioso, el módulo enviado puede ser seleccionado por parte del atacante usando el archivo de datos de ansible. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1738 https://github.com/ansible/ansible/issues/67796 https://security.gentoo.org/glsa/202006-11 • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') •
CVE-2020-1740 – ansible: secrets readable after ansible-vault edit
https://notcve.org/view.php?id=CVE-2020-1740
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en Ansible Engine cuando se usa Ansible Vault para editar archivos cifrados. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1740 https://github.com/ansible/ansible/issues/67798 https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJK • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-377: Insecure Temporary File •
CVE-2020-1735 – ansible: path injection on dest parameter in fetch module
https://notcve.org/view.php?id=CVE-2020-1735
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Se detectó un fallo en el Ansible Engine cuando es usado el módulo de búsqueda. Un atacante podría interceptar el módulo, inyectar una nueva ruta y luego elegir una nueva ruta destino en el nodo del controlador. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1735 https://github.com/ansible/ansible/issues/67793 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DKPA4KC3OJSUFASUYMG66HKJE7ADNGFW https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MRRYUU5ZBLPBXCYG6CFP35D64NP2UB2S https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WQVOQD4VAIXXTVQAJKTN7NUGTJFE2PCB https://security.gentoo.org/glsa/202006-11 https://w • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •