ansible-runner 1.3.0 vulnerabilities

Known vulnerabilities in the ansible-runner package. This does not include vulnerabilities belonging to this package’s dependencies.

Vulnerability	Vulnerable Version
H Improper Input Validation ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. Affected versions of this package are vulnerable to Improper Input Validation while calling `ansible_runner.interface.run_command`, due to improper escaping of shell command where the parameters get executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment. How to fix Improper Input Validation? Upgrade `ansible-runner` to version 2.1.0 or higher.	[,2.1.0)
M Insecure Default ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. Affected versions of this package are vulnerable to Insecure Default. The default temporary files configuration in are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing `ansible-runner` to write files as the legitimate user in a place they did not expect. How to fix Insecure Default? Upgrade `ansible-runner` to version 2.0.1 or higher.	[,2.0.1)
M Race Condition ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. Affected versions of this package are vulnerable to Race Condition with temporary files in `tempfile.TemporaryDirectory()`. An attacker could watch for creation of a rapid creation and deletion of a temporary directory, substitute their own directory at that name, and then have access to `ansible-runner`'s `private_data_dir` the next time `ansible-runner` made use of the zprivate_data_dir`. How to fix Race Condition? Upgrade `ansible-runner` to version 2.0.1 or higher.	[0,2.0.1)
L Insecure Defaults ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported. Affected versions of this package are vulnerable to Insecure Defaults. The default permissions of writing job events where not safe. How to fix Insecure Defaults? Upgrade `ansible-runner` to version 1.3.1 or higher.	[,1.3.1)

Vulnerability

Vulnerable Version

Improper Input Validation

ansible-runner is a tool that helps when interfacing with Ansible directly or as part of another system whether that be through a container image interface, as a standalone tool, or as a Python module that can be imported.

Affected versions of this package are vulnerable to Improper Input Validation while calling ansible_runner.interface.run_command, due to improper escaping of shell command where the parameters get executed as host's shell command. A developer could unintentionally write code that gets executed in the host rather than the virtual environment.

How to fix Improper Input Validation?

Upgrade ansible-runner to version 2.1.0 or higher.

[,2.1.0)

Insecure Default

Affected versions of this package are vulnerable to Insecure Default. The default temporary files configuration in are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect.

How to fix Insecure Default?

Upgrade ansible-runner to version 2.0.1 or higher.

[,2.0.1)

Race Condition

Affected versions of this package are vulnerable to Race Condition with temporary files in tempfile.TemporaryDirectory(). An attacker could watch for creation of a rapid creation and deletion of a temporary directory, substitute their own directory at that name, and then have access to ansible-runner's private_data_dir the next time ansible-runner made use of the zprivate_data_dir`.

How to fix Race Condition?

Upgrade ansible-runner to version 2.0.1 or higher.

[0,2.0.1)

Insecure Defaults

Affected versions of this package are vulnerable to Insecure Defaults. The default permissions of writing job events where not safe.

How to fix Insecure Defaults?

Upgrade ansible-runner to version 1.3.1 or higher.

[,1.3.1)

ansible-runner@1.3.0 vulnerabilities

"Consistent Ansible Python API and CLI with container and process isolation runtime capabilities"

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

How to fix?