CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2023-4237 – Platform: ec2_key module prints out the private key directly to the standard output
https://notcve.org/view.php?id=CVE-2023-4237
04 Oct 2023 — A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability. Se encontró una falla en la plataforma de automatización Ansible. Al crear un nuevo par de claves, el módulo ec2_key imprime la clave privada directamente en la salida estándar. • https://access.redhat.com/errata/RHBA-2023:5653 • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere •
CVSS: 6.5EPSS: 0%CPEs: 5EXPL: 0CVE-2023-4380 – Platform: token exposed at importing project
https://notcve.org/view.php?id=CVE-2023-4380
22 Aug 2023 — A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability. Existe un defecto lógico en Ansible. Siempre que se crea un proyecto privado con credenciales incorrectas, se registra en texto plano. • https://access.redhat.com/errata/RHSA-2023:4693 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.3EPSS: 0%CPEs: 8EXPL: 1CVE-2023-3971 – Controller: html injection in custom login info
https://notcve.org/view.php?id=CVE-2023-3971
01 Aug 2023 — An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise. Se encontró una falla de inyección de HTML en Controller en la configuración de la interfaz de usuario. Esta falla permite a un atacante capturar credenciales creando una página de inicio de sesión personalizada mediante la inyección de HTML, lo que resulta en un compromiso total. Red Hat Ansi... • https://github.com/ashangp923/CVE-2023-3971 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3697 – Ubuntu Security Notice USN-6846-1
https://notcve.org/view.php?id=CVE-2022-3697
28 Oct 2022 — A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. Se encontró una falla en Ansible en la colección amazon.aws al usar el parámetro tower_callback del módulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el módulo maneja e... • https://github.com/ansible-collections/amazon.aws/pull/1199 • CWE-233: Improper Handling of Parameters •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 1CVE-2022-3644 – Pulp: Tokens stored in plaintext
https://notcve.org/view.php?id=CVE-2022-3644
25 Oct 2022 — The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only. La colección remota para pulp_ansible almacena tokens en texto plano en lugar de usar el campo encriptado de pulp y los expone en modo de lectura/escritura por medio de la API () en lugar de marcarla como sólo de escritura A flaw exists in the collection remote for pulp_ansible, where tokens are stored in plaintext i... • https://github.com/pulp/pulp_ansible/blob/main/pulp_ansible/app/models.py#L234 • CWE-256: Plaintext Storage of a Password CWE-522: Insufficiently Protected Credentials •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-3101 – tripleo-ansible: /var/lib/mistral/overcloud discoverable
https://notcve.org/view.php?id=CVE-2022-3101
18 Oct 2022 — A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment. An update for tripleo-ansible is now available for Red Hat OpenStack Platform. Red Hat Product Security has rated this update as having a security impact ... • https://access.redhat.com/security/cve/CVE-2022-3101 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.3EPSS: 0%CPEs: 5EXPL: 0CVE-2022-3146 – tripleo-ansible: /etc/openstack/clouds.yaml discoverable
https://notcve.org/view.php?id=CVE-2022-3146
18 Oct 2022 — A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment. An update for tripleo-ansible is now available for Red Hat OpenStack Platform. • https://access.redhat.com/security/cve/CVE-2022-3146 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 6.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3205 – Controller: cross site scripting in automation controller ui
https://notcve.org/view.php?id=CVE-2022-3205
13 Sep 2022 — Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection Se presenta un ataque de tipo un XSS en la Interfaz de Usuario del controlador de automatización en el que el nombre del proyecto es susceptible de inyección de tipo XSS • https://access.redhat.com/security/cve/CVE-2022-3205 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-1632
https://notcve.org/view.php?id=CVE-2022-1632
01 Sep 2022 — An Improper Certificate Validation attack was found in Openshift. A re-encrypt Route with destinationCACertificate explicitly set to the default serviceCA skips internal Service TLS certificate validation. This flaw allows an attacker to exploit an invalid certificate, resulting in a loss of confidentiality. Se ha encontrado un ataque de comprobación inapropiada de certificados en Openshift. Una ruta de re-encriptación con destinationCACertificate explícitamente establecido en el serviceCA por defecto omite... • https://bugzilla.redhat.com/show_bug.cgi?id=2081181 • CWE-295: Improper Certificate Validation •
CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 0CVE-2021-3702
https://notcve.org/view.php?id=CVE-2021-3702
23 Aug 2022 — A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the private_data_dir. The highest Threat out of this flaw is to integrity and confidentiality. Se encontró un fallo de condición de carrera en ansible-runner, donde un atacante podría observar la creación y eliminación rápida de un d... • https://access.redhat.com/security/cve/CVE-2021-3702 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •