37 results (0.010 seconds)

CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. Se encontró una falla de divulgación de información en ansible-core debido a que no se respetó la configuración de ANSIBLE_NO_LOG en algunos escenarios. Se descubrió que la información todavía se incluye en la salida de determinadas tareas, como los elementos del bucle. • https://access.redhat.com/errata/RHSA-2024:0733 https://access.redhat.com/errata/RHSA-2024:2246 https://access.redhat.com/errata/RHSA-2024:3043 https://access.redhat.com/security/cve/CVE-2024-0690 https://bugzilla.redhat.com/show_bug.cgi?id=2259013 https://github.com/ansible/ansible/pull/82565 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •

CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. Se encontró una falla de inyección de plantilla en Ansible donde las operaciones de creación de plantillas internas del controlador de un usuario pueden eliminar la designación insegura de los datos de la plantilla. Este problema podría permitir que un atacante utilice un archivo especialmente manipulado para introducir la inyección de código al proporcionar datos de plantillas. • https://access.redhat.com/errata/RHSA-2023:7773 https://access.redhat.com/security/cve/CVE-2023-5764 https://bugzilla.redhat.com/show_bug.cgi?id=2247629 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •

CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-312: Cleartext Storage of Sensitive Information •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-311: Missing Encryption of Sensitive Data •

CVSS: 5.5EPSS: 0%CPEs: 5EXPL: 0

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. The highest threat from this vulnerability is to data confidentiality. This flaw affects Red Hat Ansible Automation Platform in versions before 1.2.2 and Ansible Tower in versions before 3.8.2. • https://bugzilla.redhat.com/show_bug.cgi?id=1939349 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2MS4VPUYVLGSAKOX26IT52BSMEZRZ3KS https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JBZ75MAMVQVZROPYHMRDQKPPVASP63DG https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/RUTGO4RS4ZXZSPBU2CHVPT75IAFVTTL3 https://access.redhat.com/security/cve/CVE-2 • CWE-532: Insertion of Sensitive Information into Log File •