CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-0690 – Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
https://notcve.org/view.php?id=CVE-2024-0690
06 Feb 2024 — An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. Se encontró una falla de divulgación de información en ansible-core debido a que no se respetó la configuración de ANSIBLE_NO_LOG en algunos escenarios. Se descubrió que la información todaví... • https://access.redhat.com/errata/RHSA-2024:0733 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-5764 – Ansible: template injection
https://notcve.org/view.php?id=CVE-2023-5764
12 Dec 2023 — A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. Se encontró una falla de inyección de plantilla en Ansible donde las operaciones de creación de plantillas internas del controlador de un usuario pueden eliminar la designación insegura de los datos de la plantilla. Este ... • https://access.redhat.com/errata/RHSA-2023:7773 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32983
https://notcve.org/view.php?id=CVE-2023-32983
16 May 2023 — Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32982
https://notcve.org/view.php?id=CVE-2023-32982
16 May 2023 — Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-311: Missing Encryption of Sensitive Data CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3697 – Ubuntu Security Notice USN-6846-1
https://notcve.org/view.php?id=CVE-2022-3697
28 Oct 2022 — A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. Se encontró una falla en Ansible en la colección amazon.aws al usar el parámetro tower_callback del módulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el módulo maneja e... • https://github.com/ansible-collections/amazon.aws/pull/1199 • CWE-233: Improper Handling of Parameters •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2021-20191 – ansible: multiple modules expose secured values
https://notcve.org/view.php?id=CVE-2021-20191
25 Feb 2021 — A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. • https://bugzilla.redhat.com/show_bug.cgi?id=1916813 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25635
https://notcve.org/view.php?id=CVE-2020-25635
05 Oct 2020 — A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. Se encontró un fallo en Ansible Base al usar el plugin de conexión aws_ssm, ya que la recolección de basura no está pasando después de que el playbook se haya completado. Los archivos permanecerían en el bucket exponiendo los datos. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25635 • CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-25636
https://notcve.org/view.php?id=CVE-2020-25636
05 Oct 2020 — A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. Se encontró un fallo en Ansible Base cuando se usa el plugin de conexión aws_ssm, ya que no posee una separación de espacios de nombres para las transferencias de archivos. Los archivos se escriben directame... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-25636 • CWE-377: Insecure Temporary File CWE-552: Files or Directories Accessible to External Parties •