CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 2CVE-2016-8614
https://notcve.org/view.php?id=CVE-2016-8614
A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject this key instead of the correct key. Se ha descubierto un problema en versiones anteriores a la 2.2.0 de Ansible. El módulo apt_key no verifica correctamente las huellas de la clave, lo que permite que un adversario remoto cree una clave de OpenPGP que coincide con el ID de clave corto y la inyecte en lugar de la clave correcta. • http://www.securityfocus.com/bid/94108 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-8614 https://github.com/ansible/ansible-modules-core/issues/5237 https://github.com/ansible/ansible-modules-core/pull/5353 https://github.com/ansible/ansible-modules-core/pull/5357 • CWE-320: Key Management Errors CWE-358: Improperly Implemented Security Check for Standard •
CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0CVE-2013-2233
https://notcve.org/view.php?id=CVE-2013-2233
Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. Ansible en versiones anteriores a la 1.2.1 facilita que atacantes remotos lleven a cabo ataques Man-in-the-Middle (MitM) aprovechando el error a la hora de cachear claves de host SSH. • http://www.openwall.com/lists/oss-security/2013/07/01/2 http://www.openwall.com/lists/oss-security/2013/07/02/6 https://bugzilla.redhat.com/show_bug.cgi?id=980821 https://github.com/ansible/ansible/issues/857 https://www.ansible.com/security • CWE-320: Key Management Errors •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2018-1000149
https://notcve.org/view.php?id=CVE-2018-1000149
A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. Existe una vulnerabilidad de Man-in-the-Middle (MitM) en el plugin Ansible en Jenkins, en versiones 0.8 y anteriores, en AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java y AnsiblePlaybookStep.java que deshabilita la verificación de la clave del host por defecto. • https://jenkins.io/security/advisory/2018-03-26/#SECURITY-630 •
CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2017-7550 – ansible: jenkins_plugin module exposes passwords in remote host logs
https://notcve.org/view.php?id=CVE-2017-7550
A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation. Se encontró un fallo en la manera en la que Ansible (en versiones 2.3.x anteriores a la 2.3.3 y versiones 2.4.x anteriores a la 2.4.1) pasaba algunos parámetros al módulo jenkins_plugin. Los atacantes remotos podrían utilizar este fallo para exponer información sensible de los logs de un host remoto. • https://access.redhat.com/errata/RHSA-2017:2966 https://bugzilla.redhat.com/show_bug.cgi?id=1473645 https://github.com/ansible/ansible/issues/30874 https://access.redhat.com/security/cve/CVE-2017-7550 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3498
https://notcve.org/view.php?id=CVE-2014-3498
The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. El módulo de usuario en ansible, versiones anteriores a la 1.6.6, permite a usuarios remotos autenticados ejecutar comandos arbitrarios. • https://bugzilla.redhat.com/show_bug.cgi?id=1335551 https://github.com/ansible/ansible/commit/8ed6350e65c82292a631f08845dfaacffe7f07f5 • CWE-20: Improper Input Validation •