CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25635
https://notcve.org/view.php?id=CVE-2020-25635
05 Oct 2020 — A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. Se encontró un fallo en Ansible Base al usar el plugin de conexión aws_ssm, ya que la recolección de basura no está pasando después de que el playbook se haya completado. Los archivos permanecerían en el bucket exponiendo los datos. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25636
https://notcve.org/view.php?id=CVE-2020-25636
05 Oct 2020 — A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. Se encontró un fallo en Ansible Base cuando se usa el plugin de conexión aws_ssm, ya que no posee una separación de espacios de nombres para las transferencias de archivos. Los archivos se escriben directame... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636 • CWE-377: Insecure Temporary File CWE-552: Files or Directories Accessible to External Parties •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2020-14332 – Ansible: module_args does not censor properly in --check mode
https://notcve.org/view.php?id=CVE-2020-14332
11 Sep 2020 — A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en Ansible Engine al usar module_args. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332 • CWE-117: Improper Output Neutralization for Logs CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 1CVE-2020-14330 – Ansible: masked keys for uri module are exposed into content and json output
https://notcve.org/view.php?id=CVE-2020-14330
11 Sep 2020 — An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo de Neutralización de Salida Inapropiada para Registros en Ansible al usar el módulo uri, donde los datos confidenci... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 7.1EPSS: 0%CPEs: 10EXPL: 0CVE-2020-14365 – ansible: dnf module install packages with no GPG signature
https://notcve.org/view.php?id=CVE-2020-14365
02 Sep 2020 — A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability. Se encontr... • https://bugzilla.redhat.com/show_bug.cgi?id=1869154 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.5EPSS: 0%CPEs: 2EXPL: 0CVE-2020-14327 – Tower: SSRF: Server Side Request Forgery on Credential
https://notcve.org/view.php?id=CVE-2020-14327
05 Aug 2020 — A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the server processing it. This flaw leads to the connection to internal services or the exposure of additional internal services by abusing the test feature of lookup credentials to forge HTTP/HTTPS requests from the server and retrieving the results of the response. Se encontró un fallo de tipo Server-side request f... • https://bugzilla.redhat.com/show_bug.cgi?id=1856785 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14328 – Tower: SSRF: Server Side Request Forgery on webhooks
https://notcve.org/view.php?id=CVE-2020-14328
05 Aug 2020 — A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal services or exposing additional internal services and more particularly retrieving full details in case of error. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo en Ansible Tower en versiones anteriores a la 3.7.2. Puede ser abusado un fallo de tipo Server Side Reque... • https://bugzilla.redhat.com/show_bug.cgi?id=1856786 • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 3.3EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14329 – Tower: Sensitive Data Exposure on Label
https://notcve.org/view.php?id=CVE-2020-14329
05 Aug 2020 — A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint. This flaw allows users from other organizations in the system to retrieve any label from the organization and also disclose organization names. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo de exposición de datos en Ansible Tower en versiones anteriores a 3.7.2, donde los datos confidenciales pueden estar expuestos desde el ... • https://bugzilla.redhat.com/show_bug.cgi?id=1856787 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 5.8EPSS: 1%CPEs: 1EXPL: 0CVE-2020-14337 – Tower: Named URLs allow for testing the presence or absence of objects
https://notcve.org/view.php?id=CVE-2020-14337
31 Jul 2020 — A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an unauthenticated, remote attacker to retrieve pages from the default organization and verify existing usernames. The highest threat from this vulnerability is to data confidentiality. Se encontró un fallo de exposición de datos en Tower, donde fueron revelados datos confidenciales de los códigos de error de retorno HTTP. Este fallo permite a un atacante no autenticado remoto recupe... • https://bugzilla.redhat.com/show_bug.cgi?id=1859139 • CWE-209: Generation of Error Message Containing Sensitive Information •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10782 – Tower: rsyslog configuration has world readable permissions
https://notcve.org/view.php?id=CVE-2020-10782
18 Jun 2020 — An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1. Se encontró un fallo de exposición de información sensible en la versión 3.7.0 de Ansible. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10782 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-276: Incorrect Default Permissions CWE-732: Incorrect Permission Assignment for Critical Resource •