CVE-2020-25677 – ceph-ansible: insecure ownership on /etc/ceph/iscsi-gateway.conf configuration file
https://notcve.org/view.php?id=CVE-2020-25677
A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information within this file. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en Ceph-ansible v4.0.41 en el que se crea un archivo /etc/ceph/iscsi-gateway.conf con permisos inseguros por defecto. Este fallo permite a cualquier usuario del sistema leer información sensible dentro de este archivo. • https://bugzilla.redhat.com/show_bug.cgi?id=1892108 https://access.redhat.com/security/cve/CVE-2020-25677 • CWE-312: Cleartext Storage of Sensitive Information •
CVE-2020-25635
https://notcve.org/view.php?id=CVE-2020-25635
A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. Se encontró un fallo en Ansible Base al usar el plugin de conexión aws_ssm, ya que la recolección de basura no está pasando después de que el playbook se haya completado. Los archivos permanecerían en el bucket exponiendo los datos. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635 https://github.com/ansible-collections/community.aws/issues/222 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2020-25636
https://notcve.org/view.php?id=CVE-2020-25636
A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. Se encontró un fallo en Ansible Base cuando se usa el plugin de conexión aws_ssm, ya que no posee una separación de espacios de nombres para las transferencias de archivos. Los archivos se escriben directamente en el bucket root, haciendo posible tener colisiones cuando se ejecutan múltiples procesos de ansible. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636 https://github.com/ansible-collections/community.aws/issues/221 • CWE-377: Insecure Temporary File CWE-552: Files or Directories Accessible to External Parties •
CVE-2020-14332 – Ansible: module_args does not censor properly in --check mode
https://notcve.org/view.php?id=CVE-2020-14332
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en Ansible Engine al usar module_args. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332 https://github.com/ansible/ansible/pull/71033 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-14332 https://bugzilla.redhat.com/show_bug.cgi?id=1857805 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVE-2020-14330 – Ansible: masked keys for uri module are exposed into content and json output
https://notcve.org/view.php?id=CVE-2020-14330
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo de Neutralización de Salida Inapropiada para Registros en Ansible al usar el módulo uri, donde los datos confidenciales están expuestos en contenido y salida json. Este fallo permite a un atacante acceder a los registros o salidas de las tareas realizadas para leer las claves usadas en los libros de jugadas de otros usuarios dentro del módulo uri. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330 https://github.com/ansible/ansible/issues/68400 https://www.debian.org/security/2021/dsa-4950 https://access.redhat.com/security/cve/CVE-2020-14330 https://bugzilla.redhat.com/show_bug.cgi?id=1856815 • CWE-532: Insertion of Sensitive Information into Log File •