CVSS: 5.5EPSS: 0%CPEs: 13EXPL: 0CVE-2020-10685 – Ansible: modules which use files encrypted with vault are not properly cleaned up
https://notcve.org/view.php?id=CVE-2020-10685
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10685 https://github.com/ansible/ansible/pull/68433 https://security.gentoo.org/glsa/202006-11 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-10685 https://bugzilla.redhat.com/show_bug.cgi?id=1814627 • CWE-459: Incomplete Cleanup •
CVSS: 7.3EPSS: 0%CPEs: 10EXPL: 0CVE-2019-14905 – Ansible: malicious code could craft filename in nxos_file_copy module
https://notcve.org/view.php?id=CVE-2019-14905
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues. Se detectó una vulnerabilidad en Ansible Engine versiones 2.9.x anteriores a 2.9.3, versiones 2.8.x anteriores a 2.8.8, versiones 2.7.x anteriores a 2.7.16 y anteriores, donde en el módulo nxos_file_copy de Ansible puede ser usado para copiar archivos a una flash o bootflash en dispositivos NXOS. Un código malicioso podría diseñar el parámetro filename para llevar a cabo inyecciones de comandos de Sistema Operativo. • http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://access.redhat.com/errata/RHSA-2020:0216 https://access.redhat.com/errata/RHSA-2020:0218 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14905 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5BNCYPQ4BY5QHBCJOAOPANB5FHATW2BR https://access.redhat.com/security/cve/CVE-2019-14905 https://bugzilla.red • CWE-20: Improper Input Validation CWE-73: External Control of File Name or Path CWE-668: Exposure of Resource to Wrong Sphere •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2013-1793
https://notcve.org/view.php?id=CVE-2013-1793
openstack-utils openstack-db has insecure password creation openstack-db de openstack-utils, tiene una creación de contraseña no segura. • https://access.redhat.com/security/cve/cve-2013-1793 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1793 • CWE-306: Missing Authentication for Critical Function •
CVSS: 9.1EPSS: 0%CPEs: 8EXPL: 2CVE-2019-14859 – python-ecdsa: DER encoding is not being verified in signatures
https://notcve.org/view.php?id=CVE-2019-14859
A flaw was found in all python-ecdsa versions before 0.13.3, where it did not correctly verify whether signatures used DER encoding. Without this verification, a malformed signature could be accepted, making the signature malleable. Without proper verification, an attacker could use a malleable signature to create false transactions. Se encontró un fallo en todas las versiones de python-ecdsa anteriores a la versión 0.13.3, donde no se comprobaba correctamente si las firmas usaban codificación DER. Sin esta comprobación, se podría aceptar una firma malformada, haciendo que la firma sea maleable. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14859 https://github.com/warner/python-ecdsa/issues/114 https://github.com/warner/python-ecdsa/releases/tag/python-ecdsa-0.13.3 https://pypi.org/project/ecdsa/0.13.3 https://access.redhat.com/security/cve/CVE-2019-14859 https://bugzilla.redhat.com/show_bug.cgi?id=1760843 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 6.5EPSS: 0%CPEs: 11EXPL: 1CVE-2013-6461
https://notcve.org/view.php?id=CVE-2013-6461
Nokogiri gem 1.5.x and 1.6.x has DoS while parsing XML entities by failing to apply limits La gema Nokogiri versiones 1.5.x y 1.6.x, tienebn una DoS durante el análisis de entidades XML al fallar para aplicar límites. • http://www.openwall.com/lists/oss-security/2013/12/27/2 http://www.securityfocus.com/bid/64513 https://access.redhat.com/security/cve/cve-2013-6461 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-6461 https://exchange.xforce.ibmcloud.com/vulnerabilities/90059 https://security-tracker.debian.org/tracker/CVE-2013-6461 • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') •