CVE-2014-3498
https://notcve.org/view.php?id=CVE-2014-3498
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. El módulo de usuario en ansible, versiones anteriores a la 1.6.6, permite a usuarios remotos autenticados ejecutar comandos arbitrarios. • https://bugzilla.redhat.com/show_bug.cgi?id=1335551 https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5 • CWE-20: Improper Input Validation •
CVE-2015-6240
https://notcve.org/view.php?id=CVE-2015-6240
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. Los plugins chroot, jail, y zone connection en Ansible anterior a versión 1.9.2 permiten a los usuarios locales escapar de un entorno restringido por medio de un ataque de enlace simbólico (symlink). • http://www.openwall.com/lists/oss-security/2015/08/17/10 https://bugzilla.redhat.com/show_bug.cgi?id=1243468 https://github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647 https://github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html • CWE-59: Improper Link Resolution Before File Access ('Link Following') •
CVE-2017-7466 – ansible: Arbitrary code execution on control node (incomplete fix for CVE-2016-9587)
https://notcve.org/view.php?id=CVE-2017-7466
Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible en versiones anteriores a la 2.3 tiene una vulnerabilidad de validación de entradas en la gestión de datos enviados desde los sistemas del cliente. Un atacante que tenga el control de un sistema de cliente gestionado por Ansible y la capacidad de enviar hechos de vuelta al servidor de Ansible podría usar este error para ejecutar código arbitrario en el servidor de Ansible utilizando los privilegios del servidor de Ansible. An input validation vulnerability was found in Ansible's handling of data sent from client systems. • http://www.securityfocus.com/bid/97595 https://access.redhat.com/errata/RHSA-2017:1244 https://access.redhat.com/errata/RHSA-2017:1334 https://access.redhat.com/errata/RHSA-2017:1476 https://access.redhat.com/errata/RHSA-2017:1499 https://access.redhat.com/errata/RHSA-2017:1599 https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7466 https://access.redhat.com/security/cve/CVE-2017-7466 https://bugzilla.redhat.com/sho • CWE-20: Improper Input Validation •
CVE-2016-9587 – Ansible 2.1.4/2.2.1 - Command Execution
https://notcve.org/view.php?id=CVE-2016-9587
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible, en versiones anteriores a la 2.1.4 y la 2.2.1, es vulnerable a una validación de entradas incorrecta en la gestión de Ansible de datos enviados desde los sistemas de clientes. Un atacante que tenga el control de un sistema de cliente gestionado por Ansible y la capacidad de enviar hechos de vuelta al servidor de Ansible podría usar este error para ejecutar código arbitrario en el servidor de Ansible utilizando los privilegios del servidor de Ansible. An input validation vulnerability was found in Ansible's handling of data sent from client systems. • https://www.exploit-db.com/exploits/41013 http://rhn.redhat.com/errata/RHSA-2017-0195.html http://rhn.redhat.com/errata/RHSA-2017-0260.html http://www.securityfocus.com/bid/95352 https://access.redhat.com/errata/RHSA-2017:0448 https://access.redhat.com/errata/RHSA-2017:0515 https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587 https://security.gentoo.org/glsa/201701-77 https://access.redhat.com/security/cve/C • CWE-20: Improper Input Validation •
CVE-2016-8628 – ansible: Command injection by compromised server via fact variables
https://notcve.org/view.php?id=CVE-2016-8628
Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. Ansible en versiones anteriores a la 2.2.0 no sanea correctamente las variables de hecho enviadas desde el controlador de Ansible. Un atacante que pueda crear variables especiales en el controlador podría ejecutar comandos arbitrarios en los clientes de Ansible como el usuario como el que se ejecuta Ansible. Ansible fails to properly sanitize fact variables sent from the Ansible controller. • http://www.securityfocus.com/bid/94109 https://access.redhat.com/errata/RHSA-2016:2778 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8628 https://access.redhat.com/security/cve/CVE-2016-8628 https://bugzilla.redhat.com/show_bug.cgi?id=1388113 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •