CVE-2022-3205 – Controller: cross site scripting in automation controller ui
https://notcve.org/view.php?id=CVE-2022-3205
Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection Se presenta un ataque de tipo un XSS en la Interfaz de Usuario del controlador de automatización en el que el nombre del proyecto es susceptible de inyección de tipo XSS • https://access.redhat.com/security/cve/CVE-2022-3205 https://bugzilla.redhat.com/show_bug.cgi?id=2120597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVE-2022-1632
https://notcve.org/view.php?id=CVE-2022-1632
An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality. Se ha encontrado un ataque de comprobación inapropiada de certificados en Openshift. Una ruta de re-encriptación con destinationCACertificate explícitamente establecido en el serviceCA por defecto omite la comprobación del certificado TLS del servicio interno. • https://bugzilla.redhat.com/show_bug.cgi?id=2081181 • CWE-295: Improper Certificate Validation •
CVE-2022-2568 – Ansible: Logic flaw leads to privilage escalation
https://notcve.org/view.php?id=CVE-2022-2568
A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with 'change user' permissions to modify the account settings of the superuser account and also remove the superuser privileges. Se ha encontrado un fallo de escalada de privilegios en Ansible Automation Platform. Este fallo permite a un usuario remoto autenticado con permisos de tipo "change user" modificar la configuración de la cuenta de superusuario y también eliminar los privilegios de superusuario. • https://bugzilla.redhat.com/show_bug.cgi?id=2108653 https://access.redhat.com/security/cve/CVE-2022-2568 • CWE-269: Improper Privilege Management •
CVE-2021-3681
https://notcve.org/view.php?id=CVE-2021-3681
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets. • https://bugzilla.redhat.com/show_bug.cgi?id=1989407 https://github.com/ansible/galaxy/issues/1977 • CWE-522: Insufficiently Protected Credentials •
CVE-2021-4112 – ansible-tower: Privilege escalation via job isolation escape
https://notcve.org/view.php?id=CVE-2021-4112
A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user from outside the isolated environment. Se ha encontrado un fallo en ansible-tower en el que la instalación por defecto es vulnerable al escape de aislamiento de trabajos. Este fallo permite a un atacante elevar el privilegio de un usuario con pocos privilegios a un usuario AWX desde fuera del entorno aislado. • https://access.redhat.com/security/cve/CVE-2021-4112 https://bugzilla.redhat.com/show_bug.cgi?id=2028121 • CWE-552: Files or Directories Accessible to External Parties •