CVSS: 5.5EPSS: 0%CPEs: 12EXPL: 0CVE-2024-0690 – Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
https://notcve.org/view.php?id=CVE-2024-0690
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. Se encontró una falla de divulgación de información en ansible-core debido a que no se respetó la configuración de ANSIBLE_NO_LOG en algunos escenarios. Se descubrió que la información todavía se incluye en la salida de determinadas tareas, como los elementos del bucle. • https://access.redhat.com/errata/RHSA-2024:0733 https://access.redhat.com/errata/RHSA-2024:2246 https://access.redhat.com/errata/RHSA-2024:3043 https://access.redhat.com/security/cve/CVE-2024-0690 https://bugzilla.redhat.com/show_bug.cgi?id=2259013 https://github.com/ansible/ansible/pull/82565 • CWE-116: Improper Encoding or Escaping of Output CWE-117: Improper Output Neutralization for Logs •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2023-5764 – Ansible: template injection
https://notcve.org/view.php?id=CVE-2023-5764
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data. Se encontró una falla de inyección de plantilla en Ansible donde las operaciones de creación de plantillas internas del controlador de un usuario pueden eliminar la designación insegura de los datos de la plantilla. Este problema podría permitir que un atacante utilice un archivo especialmente manipulado para introducir la inyección de código al proporcionar datos de plantillas. • https://access.redhat.com/errata/RHSA-2023:7773 https://access.redhat.com/security/cve/CVE-2023-5764 https://bugzilla.redhat.com/show_bug.cgi?id=2247629 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X7Q6CHPVCHMZS5M7V22GOKFSXZAQ24EU • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine •
CVSS: 6.3EPSS: 0%CPEs: 14EXPL: 0CVE-2023-5115 – Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files
https://notcve.org/view.php?id=CVE-2023-5115
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path. Existe un ataque de path traversal absoluto en la plataforma de automatización Ansible. Esta falla permite a un atacante crear un rol de Ansible malicioso y hacer que la víctima ejecute el rol. • https://access.redhat.com/errata/RHSA-2023:5701 https://access.redhat.com/errata/RHSA-2023:5758 https://access.redhat.com/security/cve/CVE-2023-5115 https://bugzilla.redhat.com/show_bug.cgi?id=2233810 https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 6.3EPSS: 0%CPEs: 5EXPL: 0CVE-2023-4380 – Platform: token exposed at importing project
https://notcve.org/view.php?id=CVE-2023-4380
A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability. Existe un defecto lógico en Ansible. Siempre que se crea un proyecto privado con credenciales incorrectas, se registra en texto plano. • https://access.redhat.com/errata/RHSA-2023:4693 https://access.redhat.com/security/cve/CVE-2023-4380 https://bugzilla.redhat.com/show_bug.cgi?id=2232324 • CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-3205 – Controller: cross site scripting in automation controller ui
https://notcve.org/view.php?id=CVE-2022-3205
Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection Se presenta un ataque de tipo un XSS en la Interfaz de Usuario del controlador de automatización en el que el nombre del proyecto es susceptible de inyección de tipo XSS • https://access.redhat.com/security/cve/CVE-2022-3205 https://bugzilla.redhat.com/show_bug.cgi?id=2120597 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •