CVE-2023-39059
https://notcve.org/view.php?id=CVE-2023-39059
An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter. • https://gist.github.com/Alevsk/1757da24c5fb8db735d392fd4146ca3a https://www.alevsk.com/2023/07/a-quick-story-of-security-pitfalls-with-execcommand-in-software-integrations • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2023-28609
https://notcve.org/view.php?id=CVE-2023-28609
api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication. • https://github.com/ansible-semaphore/semaphore/commit/3e4a62b7f2b1ef0660c9fb839818a53c80a5a8b1 https://github.com/ansible-semaphore/semaphore/releases/tag/v2.8.89 • CWE-287: Improper Authentication •
CVE-2014-125036 – drybjed ansible-ntp main.yml amplification
https://notcve.org/view.php?id=CVE-2014-125036
A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to insufficient control of network message volume. The attack can only be done within the local network. The complexity of an attack is rather high. • https://github.com/drybjed/ansible-ntp/commit/ed4ca2cf012677973c220cdba36b5c60bfa0260b https://vuldb.com/?ctiid.217190 https://vuldb.com/?id.217190 • CWE-406: Insufficient Control of Network Message Volume (Network Amplification) •
CVE-2017-2809
https://notcve.org/view.php?id=CVE-2017-2809
An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A specially crafted vault can execute arbitrary python commands resulting in command execution. An attacker can insert python into the vault to trigger this vulnerability. Existe una vulnerabilidad explotable en la funcionalidad de carga de archivos yaml de ansible-vault en versiones anteriores a la 1.0.5. Una bóveda (vault) especialmente manipulada puede ejecutar comandos python arbitrarios. • http://www.securityfocus.com/bid/100824 https://github.com/tomoh1r/ansible-vault/blob/v1.0.5/CHANGES.txt https://github.com/tomoh1r/ansible-vault/commit/3f8f659ef443ab870bb19f95d43543470168ae04 https://github.com/tomoh1r/ansible-vault/issues/4 https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0305 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVE-2016-9587 – Ansible 2.1.4/2.2.1 - Command Execution
https://notcve.org/view.php?id=CVE-2016-9587
Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible, en versiones anteriores a la 2.1.4 y la 2.2.1, es vulnerable a una validación de entradas incorrecta en la gestión de Ansible de datos enviados desde los sistemas de clientes. Un atacante que tenga el control de un sistema de cliente gestionado por Ansible y la capacidad de enviar hechos de vuelta al servidor de Ansible podría usar este error para ejecutar código arbitrario en el servidor de Ansible utilizando los privilegios del servidor de Ansible. An input validation vulnerability was found in Ansible's handling of data sent from client systems. • https://www.exploit-db.com/exploits/41013 http://rhn.redhat.com/errata/RHSA-2017-0195.html http://rhn.redhat.com/errata/RHSA-2017-0260.html http://www.securityfocus.com/bid/95352 https://access.redhat.com/errata/RHSA-2017:0448 https://access.redhat.com/errata/RHSA-2017:0515 https://access.redhat.com/errata/RHSA-2017:1685 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9587 https://security.gentoo.org/glsa/201701-77 https://access.redhat.com/security/cve/C • CWE-20: Improper Input Validation •