CVSS: 5.0EPSS: 0%CPEs: 14EXPL: 1CVE-2020-1733 – ansible: insecure temporary directory when running become_user from become directive
https://notcve.org/view.php?id=CVE-2020-1733
11 Mar 2020 — A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4659
https://notcve.org/view.php?id=CVE-2014-4659
20 Feb 2020 — Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. Ansible versiones anteriores a 1.5.5, establece los permisos 0644 para sources.list, lo que podría permitir a usuarios locales obtener información confidencial de credenciales en circunstancias oportunistas mediante la lectura de un archivo que utiliza el formato "deb ht... • https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md • CWE-522: Insufficiently Protected Credentials •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4658
https://notcve.org/view.php?id=CVE-2014-4658
20 Feb 2020 — The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. El subsistema vault en Ansible versiones anteriores a 1.5.5, no establece el umask antes de la creación o modificación de un archivo vault, lo que permite a usuarios locales obtener información confidencial de claves mediante la lectura de un archivo. • https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-4660
https://notcve.org/view.php?id=CVE-2014-4660
20 Feb 2020 — Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by leveraging existence of a file that uses the "deb http://user:pass@server:port/" format. Ansible versiones anteriores a 1.5.5, construye nombres de archivos que contienen campos de usuario y contraseña sobre la base de líneas deb en sources.list, lo que podría permitir a usuarios loc... • https://github.com/ansible/ansible/blob/release1.5.5/CHANGELOG.md • CWE-522: Insufficiently Protected Credentials •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2019-14904 – Ansible: vulnerability in solaris_zone module via crafted solaris zone
https://notcve.org/view.php?id=CVE-2019-14904
23 Jan 2020 — A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected. Se encontró un fallo en el módulo solaris_zone de los módulos d... • https://bugzilla.redhat.com/show_bug.cgi?id=1776944 • CWE-20: Improper Input Validation CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2014-2686
https://notcve.org/view.php?id=CVE-2014-2686
09 Jan 2020 — Ansible prior to 1.5.4 mishandles the evaluation of some strings. Ansible versiones anteriores a 1.5.4, maneja inapropiadamente la evaluación de algunas cadenas. • https://groups.google.com/forum/#%21searchin/ansible-project/1.5.4/ansible-project/MUQxiKwSQDc/id6aVaawVboJ • CWE-670: Always-Incorrect Control Flow Implementation •
CVSS: 6.5EPSS: 1%CPEs: 12EXPL: 1CVE-2019-14864 – Ansible: Splunk and Sumologic callback plugins leak sensitive data in logs
https://notcve.org/view.php?id=CVE-2019-14864
20 Nov 2019 — Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data. Ansible, versiones 2.9.x anteriores a la versión 2.9.1, versiones 2.8.x anteriores a la versión 2.8.7 y Ansible versiones 2.7.x anteriores a la versión 2.7.15, no respeta el flag no_log, configurado en True cuando los... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-14856 – ansible: Incomplete fix for CVE-2019-10206
https://notcve.org/view.php?id=CVE-2019-14856
24 Oct 2019 — ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None ansible versiones anteriores a 2.8.6, 2.7.14, 2.6.20 es vulnerable a un None The fix for CVE-2019-10206 was found to be incomplete for the data disclosure flaw in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vu... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-287: Improper Authentication •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-10217 – Ansible: gcp modules do not flag sensitive data fields properly
https://notcve.org/view.php?id=CVE-2019-10217
21 Aug 2019 — A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks. Se encontró un fallo en ansible versiones 2.8.0 anteriores a 2.8.4. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.5EPSS: 0%CPEs: 6EXPL: 0CVE-2019-10206 – Ansible: disclosure data when prompted for password and template characters are passed
https://notcve.org/view.php?id=CVE-2019-10206
21 Aug 2019 — ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them. ansible-playbook -k y ansible cli tools, todas las versiones 2.8.x anteriores a 2.8.4, todas las 2.7.x anteriores a 2.7.13 y todas las 2.6.x anteriores a 2.6.19, solicitan contraseñas mediante expansión de plantilla... • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html • CWE-522: Insufficiently Protected Credentials •