CVE-2023-39059
https://notcve.org/view.php?id=CVE-2023-39059
An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter. • https://gist.github.com/Alevsk/1757da24c5fb8db735d392fd4146ca3a https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-28609
https://notcve.org/view.php?id=CVE-2023-28609
api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication. • https://github.com/ansible-semaphore/semaphore/commit/3e4a62b7f2b1ef0660c9fb839818a53c80a5a8b1 https://github.com/ansible-semaphore/semaphore/releases/tag/v2.8.89 • CWE-287: Improper Authentication •
CVE-2014-125036 – drybjed ansible-ntp main.yml amplification
https://notcve.org/view.php?id=CVE-2014-125036
A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The complexity of an attack is rather high. • https://github.com/drybjed/ansible-ntp/commit/ed4ca2cf012677973c220cdba36b5c60bfa0260b https://vuldb.com/?ctiid.217190 https://vuldb.com/?id.217190 • CWE-406: Insufficient Control of Network Message Volume (Network Amplification) •
CVE-2020-25646
https://notcve.org/view.php?id=CVE-2020-25646
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality Se encontró uno fallo en Ansible Collection community.crypto. La función openssl_privatekey_info expone la clave privada en los registros. Esto impacta directamente la confidencialidad • https://github.com/ansible-collections/community.crypto/commit/233d1afc296f6770e905a1785ee2f35af7605e43 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVE-2017-2809
https://notcve.org/view.php?id=CVE-2017-2809
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability. Existe una vulnerabilidad explotable en la funcionalidad de carga de archivos yaml de ansible-vault en versiones anteriores a la 1.0.5. Una bóveda (vault) especialmente manipulada puede ejecutar comandos python arbitrarios. • http://www.securityfocus.com/bid/100824 https://github.com/tomoh1r/ansible-vault/blob/v1.0.5/CHANGES.txt https://github.com/tomoh1r/ansible-vault/commit/3f8f659ef443ab870bb19f95d43543470168ae04 https://github.com/tomoh1r/ansible-vault/issues/4 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0305 • CWE-94: Improper Control of Generation of Code ('Code Injection') •