CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-0690 – Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
https://notcve.org/view.php?id=CVE-2024-0690
06 Feb 2024 — An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. Se encontró una falla de divulgación de información en ansible-core debido a que no se respetó la configuración de ANSIBLE_NO_LOG en algunos escenarios. Se descubrió que la información todaví... • https://access.redhat.com/errata/RHSA-2024:0733 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-5764 – Ansible: template injection
https://notcve.org/view.php?id=CVE-2023-5764
12 Dec 2023 — A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. Se encontró una falla de inyección de plantilla en Ansible donde las operaciones de creación de plantillas internas del controlador de un usuario pueden eliminar la designación insegura de los datos de la plantilla. Este ... • https://access.redhat.com/errata/RHSA-2023:7773 • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32983
https://notcve.org/view.php?id=CVE-2023-32983
16 May 2023 — Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-32982
https://notcve.org/view.php?id=CVE-2023-32982
16 May 2023 — Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017 • CWE-311: Missing Encryption of Sensitive Data CWE-312: Cleartext Storage of Sensitive Information •
CVSS: 7.8EPSS: 0%CPEs: 3EXPL: 0CVE-2022-3697 – Ubuntu Security Notice USN-6846-1
https://notcve.org/view.php?id=CVE-2022-3697
28 Oct 2022 — A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs. Se encontró una falla en Ansible en la colección amazon.aws al usar el parámetro tower_callback del módulo amazon.aws.ec2_instance. Esta falla permite que un atacante aproveche este problema ya que el módulo maneja e... • https://github.com/ansible-collections/amazon.aws/pull/1199 • CWE-233: Improper Handling of Parameters •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2021-20178 – ansible: user data leak in snmp_facts module
https://notcve.org/view.php?id=CVE-2021-20178
25 Feb 2021 — A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se encontró un fallo en el módulo ansible donde las credenciales son reveladas en el registro de la consola por defecto y no están protegidas por la característica de seguridad cuando se... • https://bugzilla.redhat.com/show_bug.cgi?id=1914774 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2021-20191 – ansible: multiple modules expose secured values
https://notcve.org/view.php?id=CVE-2021-20191
25 Feb 2021 — A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those credentials. The highest threat from this vulnerability is to data confidentiality. Versions before ansible 2.9.18 are affected. • https://bugzilla.redhat.com/show_bug.cgi?id=1916813 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2021-20180 – module: bitbucket_pipeline_variable exposes secured values
https://notcve.org/view.php?id=CVE-2021-20180
25 Feb 2021 — A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to confidentiality. Se ha encontrado un fallo en el módulo de ansible en el que las credenciales son divulgadas en el registro de la consola por defecto y no están protegidas por la función de seguridad cua... • https://bugzilla.redhat.com/show_bug.cgi?id=1915808 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 5.0EPSS: 0%CPEs: 6EXPL: 0CVE-2020-10744
https://notcve.org/view.php?id=CVE-2020-10744
15 May 2020 — An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected. Se ha encontrado una corrección incompleta para la corrección del fallo de ansible CVE... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10744 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-377: Insecure Temporary File •
CVSS: 7.9EPSS: 0%CPEs: 12EXPL: 0CVE-2020-10684 – Ansible: code injection when using ansible_facts as a subkey
https://notcve.org/view.php?id=CVE-2020-10684
24 Mar 2020 — A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection. Se descubrió un fallo en Ansible Engine, todas las version... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-10684 • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') CWE-862: Missing Authorization •