CVSS: 5.5EPSS: 0%CPEs: 7EXPL: 0CVE-2019-10156 – ansible: unsafe template evaluation of returned module data can lead to information disclosure
https://notcve.org/view.php?id=CVE-2019-10156
09 Jul 2019 — A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed. Se detectó un fallo en la manera en que fueron implementadas las plantillas de Ansible en versiones anteriores a 2.6.18, 2.7.12 y 2.8.2, causando la posibilidad de revelación de información mediante la sus... • https://access.redhat.com/errata/RHSA-2019:3744 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2016-8614 – Ubuntu Security Notice USN-7330-1
https://notcve.org/view.php?id=CVE-2016-8614
31 Jul 2018 — A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. Se ha descubierto un problema en versiones anteriores a la 2.2.0 de Ansible. El módulo apt_key no verifica correctamente las huellas de la clave, lo que permite que un adversario remoto cree una clave de OpenPGP que coincide con el ID de clave corto y la inyecte en luga... • http://www.securityfocus.com/bid/94108 • CWE-320: Key Management Errors CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-2233
https://notcve.org/view.php?id=CVE-2013-2233
04 May 2018 — Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. Ansible en versiones anteriores a la 1.2.1 facilita que atacantes remotos lleven a cabo ataques Man-in-the-Middle (MitM) aprovechando el error a la hora de cachear claves de host SSH. • http://www.openwall.com/lists/oss-security/2013/07/01/2 • CWE-320: Key Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000149
https://notcve.org/view.php?id=CVE-2018-1000149
05 Apr 2018 — A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. Existe una vulnerabilidad de Man-in-the-Middle (MitM) en el plugin Ansible en Jenkins, en versiones 0.8 y anteriores, en AbstractAnsibleInvocation.java, AnsibleAdHocComman... • https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630 •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3498
https://notcve.org/view.php?id=CVE-2014-3498
08 Jun 2017 — The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. El módulo de usuario en ansible, versiones anteriores a la 1.6.6, permite a usuarios remotos autenticados ejecutar comandos arbitrarios. • https://bugzilla.redhat.com/show_bug.cgi?id=1335551 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6240 – Ubuntu Security Notice USN-7330-1
https://notcve.org/view.php?id=CVE-2015-6240
07 Jun 2017 — The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. Los plugins chroot, jail, y zone connection en Ansible anterior a versión 1.9.2 permiten a los usuarios locales escapar de un entorno restringido por medio de un ataque de enlace simbólico (symlink). It was discovered that Ansible did not properly verify certain fields of X.509 certificates. An attacker could possibly use this issue to spoof SSL servers if they wer... • http://www.openwall.com/lists/oss-security/2015/08/17/10 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.5EPSS: 2%CPEs: 3EXPL: 0CVE-2017-7466 – ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
https://notcve.org/view.php?id=CVE-2017-7466
18 May 2017 — Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible en versiones anteriores a la 2.3 tiene una vulnerabilidad de validación de entradas en la gestión de datos enviados desde los sistemas del cliente. Un ata... • http://www.securityfocus.com/bid/97595 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 10%CPEs: 3EXPL: 2CVE-2016-9587 – Ansible 2.1.4/2.2.1 - Command Execution
https://notcve.org/view.php?id=CVE-2016-9587
12 Jan 2017 — Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible, en versiones anteriores a la 2.1.4 y la 2.2.1, es vulnerable a una validación de entradas incorrecta en la gestión de Ansible de da... • https://packetstorm.news/files/id/140466 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-8628 – ansible: Command injection by compromised server via fact variables
https://notcve.org/view.php?id=CVE-2016-8628
16 Nov 2016 — Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. Ansible en versiones anteriores a la 2.2.0 no sanea correctamente las variables de hecho enviadas desde el controlador de Ansible. Un atacante que pueda crear variables especiales en el controlador podría ejecutar comandos arbitrarios en los clientes ... • http://www.securityfocus.com/bid/94109 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2016-3096 – Gentoo Linux Security Advisory 201607-14
https://notcve.org/view.php?id=CVE-2016-3096
03 Jun 2016 — The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory. La función create_script en el módulo lxc_container en Ansible en versiones anteriores a 1.9.6-1 y 2.x en versiones anteriores a 2.0.2.... • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183103.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •