Homepage
About Snyk

ansible-runner@1.0.5 vulnerabilities

"Consistent Ansible Python API and CLI with container and process isolation runtime capabilities"

Go back to all versions of this package
Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ansible-runner package. This does not include vulnerabilities belonging to this package’s dependencies.

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for free
Vulnerability Vulnerable Version
  • H
Improper Input Validation

ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.

Affected versions of this package are vulnerable to Improper Input Validation while calling ansible_runner.interface.run_command, due to improper escaping of shell command where the parameters get executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.

How to fix Improper Input Validation?

Upgrade ansible-runner to version 2.1.0 or higher.

[,2.1.0)
  • M
Insecure Default

ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.

Affected versions of this package are vulnerable to Insecure Default. The default temporary files configuration in are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect.

How to fix Insecure Default?

Upgrade ansible-runner to version 2.0.1 or higher.

[,2.0.1)
  • M
Race Condition

ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.

Affected versions of this package are vulnerable to Race Condition with temporary files in tempfile.TemporaryDirectory(). An attacker could watch for creation of a rapid creation and deletion of a temporary directory, substitute their own directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the zprivate_data_dir`.

How to fix Race Condition?

Upgrade ansible-runner to version 2.0.1 or higher.

[0,2.0.1)
  • L
Insecure Defaults

ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.

Affected versions of this package are vulnerable to Insecure Defaults. The default permissions of writing job events where not safe.

How to fix Insecure Defaults?

Upgrade ansible-runner to version 1.3.1 or higher.

[,1.3.1)
Go back to all versions of this package