CVE-2020-14330 – Ansible: masked keys for uri module are exposed into content and json output
https://notcve.org/view.php?id=CVE-2020-14330
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo de Neutralización de Salida Inapropiada para Registros en Ansible al usar el módulo uri, donde los datos confidenciales están expuestos en contenido y salida json. Este fallo permite a un atacante acceder a los registros o salidas de las tareas realizadas para leer las claves usadas en los libros de jugadas de otros usuarios dentro del módulo uri. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330 https://github.com/ansible/ansible/issues/68400 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-14330 https://bugzilla.redhat.com/show_bug.cgi?id=1856815 • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-14365 – ansible: dnf module install packages with no GPG signature
https://notcve.org/view.php?id=CVE-2020-14365
A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability. Se encontró un fallo en Ansible Engine, en ansible-engine versiones 2.8.x anteriores a 2.8.15 y ansible-engine versiones 2.9.x anteriores a 2.9.13, Cuando se instalan paquetes usando el módulo dnf. • https://bugzilla.redhat.com/show_bug.cgi?id=1869154 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-14365 • CWE-347: Improper Verification of Cryptographic Signature •
CVE-2020-10691 – Ansible: archive traversal vulnerability in ansible-galaxy collection install
https://notcve.org/view.php?id=CVE-2020-10691
An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system. Se ha detectado un fallo de salto de archivo en todas las versiones de ansible-engine 2.9.x anteriores a 2.9.7, cuando se ejecuta una instalación de una colección ansible-galaxy. Al extraer un archivo .tar.gz de la colección, el directorio es creado sin sanear el nombre del archivo. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10691 https://github.com/ansible/ansible/pull/68596 https://access.redhat.com/security/cve/CVE-2020-10691 https://bugzilla.redhat.com/show_bug.cgi?id=1817161 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVE-2020-10685 – Ansible: modules which use files encrypted with vault are not properly cleaned up
https://notcve.org/view.php?id=CVE-2020-10685
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685 https://github.com/ansible/ansible/pull/68433 https://security.gentoo.org/glsa/202006-11 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-10685 https://bugzilla.redhat.com/show_bug.cgi?id=1814627 • CWE-459: Incomplete Cleanup •
CVE-2020-1746 – ansible: Information disclosure issue in ldap_attr and ldap_entry modules
https://notcve.org/view.php?id=CVE-2020-1746
A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality. Se detectó un fallo en el Ansible Engine que afectaba a las versiones 2.7.x anteriores a 2.7.17 y versiones 2.8.x anteriores a 2.8.11 y versiones 2.9.x anteriores a 2.9.7 así como en Ansible Tower versiones anteriores e incluyendo a 3.4.5 y 3.5.5 y 3.6.3, cuando son usados los módulos de la comunidad ldap_attr y ldap_entry. El problema revela la contraseña de enlace de LDAP en stdout o un archivo de registro si una tarea del playbook se escribe usando el bind_pw en el campo parameters. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1746 https://github.com/ansible/ansible/pull/67866 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-1746 https://bugzilla.redhat.com/show_bug.cgi?id=1805491 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •