CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-2233
https://notcve.org/view.php?id=CVE-2013-2233
04 May 2018 — Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. Ansible en versiones anteriores a la 1.2.1 facilita que atacantes remotos lleven a cabo ataques Man-in-the-Middle (MitM) aprovechando el error a la hora de cachear claves de host SSH. • http://www.openwall.com/lists/oss-security/2013/07/01/2 • CWE-320: Key Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000149
https://notcve.org/view.php?id=CVE-2018-1000149
05 Apr 2018 — A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. Existe una vulnerabilidad de Man-in-the-Middle (MitM) en el plugin Ansible en Jenkins, en versiones 0.8 y anteriores, en AbstractAnsibleInvocation.java, AnsibleAdHocComman... • https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630 •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7550 – ansible: jenkins_plugin module exposes passwords in remote host logs
https://notcve.org/view.php?id=CVE-2017-7550
19 Oct 2017 — A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. Se encontró un fallo en la manera en la que Ansible (en versiones 2.3.x anteriores a la 2.3.3 y versiones 2.4.x anteriores a la 2.4.1) pasaba algu... • https://access.redhat.com/errata/RHSA-2017:2966 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3498
https://notcve.org/view.php?id=CVE-2014-3498
08 Jun 2017 — The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. El módulo de usuario en ansible, versiones anteriores a la 1.6.6, permite a usuarios remotos autenticados ejecutar comandos arbitrarios. • https://bugzilla.redhat.com/show_bug.cgi?id=1335551 • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2015-6240 – Ubuntu Security Notice USN-7330-1
https://notcve.org/view.php?id=CVE-2015-6240
07 Jun 2017 — The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. Los plugins chroot, jail, y zone connection en Ansible anterior a versión 1.9.2 permiten a los usuarios locales escapar de un entorno restringido por medio de un ataque de enlace simbólico (symlink). It was discovered that Ansible did not properly verify certain fields of X.509 certificates. An attacker could possibly use this issue to spoof SSL servers if they wer... • http://www.openwall.com/lists/oss-security/2015/08/17/10 • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 8.5EPSS: 2%CPEs: 3EXPL: 0CVE-2017-7466 – ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
https://notcve.org/view.php?id=CVE-2017-7466
18 May 2017 — Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible en versiones anteriores a la 2.3 tiene una vulnerabilidad de validación de entradas en la gestión de datos enviados desde los sistemas del cliente. Un ata... • http://www.securityfocus.com/bid/97595 • CWE-20: Improper Input Validation •
CVSS: 9.3EPSS: 10%CPEs: 3EXPL: 2CVE-2016-9587 – Ansible 2.1.4/2.2.1 - Command Execution
https://notcve.org/view.php?id=CVE-2016-9587
12 Jan 2017 — Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible, en versiones anteriores a la 2.1.4 y la 2.2.1, es vulnerable a una validación de entradas incorrecta en la gestión de Ansible de da... • https://packetstorm.news/files/id/140466 • CWE-20: Improper Input Validation •
CVSS: 9.1EPSS: 1%CPEs: 1EXPL: 0CVE-2016-8628 – ansible: Command injection by compromised server via fact variables
https://notcve.org/view.php?id=CVE-2016-8628
16 Nov 2016 — Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. Ansible en versiones anteriores a la 2.2.0 no sanea correctamente las variables de hecho enviadas desde el controlador de Ansible. Un atacante que pueda crear variables especiales en el controlador podría ejecutar comandos arbitrarios en los clientes ... • http://www.securityfocus.com/bid/94109 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 7.8EPSS: 0%CPEs: 6EXPL: 0CVE-2016-3096 – Gentoo Linux Security Advisory 201607-14
https://notcve.org/view.php?id=CVE-2016-3096
03 Jun 2016 — The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory. La función create_script en el módulo lxc_container en Ansible en versiones anteriores a 1.9.6-1 y 2.x en versiones anteriores a 2.0.2.... • http://lists.fedoraproject.org/pipermail/package-announce/2016-April/183103.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2015-3908 – Ubuntu Security Notice USN-7330-1
https://notcve.org/view.php?id=CVE-2015-3908
12 Aug 2015 — Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Vulnerabilidad en Ansible en versiones anteriores a 1.9.2, no verifica que el hostname del servidor coincida con un nombre de dominio en el Common Name (CN) del sujeto o el campo subjectAltName del certificado X.509, lo que permite a atacantes ma... • http://lists.opensuse.org/opensuse-updates/2015-07/msg00051.html • CWE-345: Insufficient Verification of Data Authenticity •