CVE-2016-8647 – Ansible: in some circumstances the mysql_user module may fail to correctly change a password
https://notcve.org/view.php?id=CVE-2016-8647
An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail to correctly change a password in certain circumstances. Thus the previous password would still be active when it should have been changed. Se ha detectado una vulnerabilidad de validación de entradas en el módulo mysql_user de Ansible en versiones anteriores a la 2.2.1.0, el cual puede fallar a la hora de cambiar correctamente una contraseña en determinadas circunstancias. Entonces, la contraseña anterior seguiría activa cuando se debería haber cambiado. An input validation vulnerability was found in Ansible's mysql_user module which may fail to correctly change a password in certain circumstances. • https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8647 https://github.com/ansible/ansible-modules-core/pull/5388 https://access.redhat.com/security/cve/CVE-2016-8647 https://bugzilla.redhat.com/show_bug.cgi?id=1396174 • CWE-20: Improper Input Validation •
CVE-2014-3498
https://notcve.org/view.php?id=CVE-2014-3498
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. El módulo de usuario en ansible, versiones anteriores a la 1.6.6, permite a usuarios remotos autenticados ejecutar comandos arbitrarios. • https://bugzilla.redhat.com/show_bug.cgi?id=1335551 https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5 • CWE-20: Improper Input Validation •
CVE-2015-6240
https://notcve.org/view.php?id=CVE-2015-6240
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. Los plugins chroot, jail, y zone connection en Ansible anterior a versión 1.9.2 permiten a los usuarios locales escapar de un entorno restringido por medio de un ataque de enlace simbólico (symlink). • http://www.openwall.com/lists/oss-security/2015/08/17/10 https://bugzilla.redhat.com/show_bug.cgi?id=1243468 https://github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647 https://github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-7466 – ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
https://notcve.org/view.php?id=CVE-2017-7466
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible en versiones anteriores a la 2.3 tiene una vulnerabilidad de validación de entradas en la gestión de datos enviados desde los sistemas del cliente. Un atacante que tenga el control de un sistema de cliente gestionado por Ansible y la capacidad de enviar hechos de vuelta al servidor de Ansible podría usar este error para ejecutar código arbitrario en el servidor de Ansible utilizando los privilegios del servidor de Ansible. An input validation vulnerability was found in Ansible's handling of data sent from client systems. • http://www.securityfocus.com/bid/97595 https://access.redhat.com/errata/RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1334 https://access.redhat.com/errata/RHSA-2017:1476 https://access.redhat.com/errata/RHSA-2017:1499 https://access.redhat.com/errata/RHSA-2017:1599 https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466 https://access.redhat.com/security/cve/CVE-2017-7466 https://bugzilla.redhat.com/sho • CWE-20: Improper Input Validation •
CVE-2017-7481 – ansible: Security issue with lookup return not tainting the jinja2 environment
https://notcve.org/view.php?id=CVE-2017-7481
Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. Ansible en versiones anteriores a la 2.3.1.0 y 2.4.0.0 no marca correctamente los resultados del plugin lookup como no seguros. Si un atacante pudiese controlar los resultados de las llamadas lookup(), podrían inyectar cadenas Unicode para que sean analizadas por el sistema de plantillas jinja2, resultando en una ejecución de código. • http://www.securityfocus.com/bid/98492 https://access.redhat.com/errata/RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1334 https://access.redhat.com/errata/RHSA-2017:1476 https://access.redhat.com/errata/RHSA-2017:1499 https://access.redhat.com/errata/RHSA-2017:1599 https://access.redhat.com/errata/RHSA-2017:2524 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481 https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2 https://lists.deb • CWE-20: Improper Input Validation •