ansible@2.8.0rc2 vulnerabilities

Radically simple IT automation

  • latest version

    11.1.0

  • latest non vulnerable version

  • first published

    11 years ago

  • latest version published

    19 days ago

  • licenses detected

  • Direct Vulnerabilities

    Known vulnerabilities in the ansible package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • M
    Credential Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Credential Exposure in amazon.aws.ec2_instance, which leaks passwords into logs when tower_callback.windows is set. This was resolved in version 5.1.0 of the amazon.aws.ec2_instance module. Note: You're only vulnerable if you're using the amazon.aws collection

    How to fix Credential Exposure?

    Upgrade ansible to version 7.0.0 or higher.

    [2.5.0,7.0.0)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure where user credentials are disclosed by default in the traceback error message of set_options.

    How to fix Information Exposure?

    Upgrade ansible to version 2.9.27 or higher.

    [,2.9.27)
    • M
    Command Injection

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Command Injection. If a user is trying to put templates in multi-line yaml strings and the facts being handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template.

    How to fix Command Injection?

    Upgrade ansible to version 2.9.23 or higher.

    [,2.9.23)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.

    How to fix Information Exposure?

    Upgrade ansible to version 2.9.6 or higher.

    [,2.9.6)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. In several modules parameters containing credentials are being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.20, 2.9.20 or higher.

    [0,2.8.20)[2.9.0,2.9.20)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. It leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.19, 2.9.18 or higher.

    [,2.8.19)[2.9.0,2.9.18)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. The return value of a specific module i.e. basic.py of ansible engine is not being masked by default while using the fallback sub-option.The return value may contain sensitive info like secret Or Credentials.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.19, 2.9.18, 2.10.7 or higher.

    [,2.8.19)[2.9.0,2.9.18)[2.10.0,2.10.7)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. snmp_facts leaks user authentication such as authKey and privKey. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.19, 2.9.18 or higher.

    [,2.8.19)[2.9.0,2.9.18)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. A few different modules in Ansible-collection leaks sensitive data such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.19, 2.9.18 or higher.

    [,2.8.19)[2.9.0,2.9.18)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. When using uri module keys are not properly masked and sensitive data is exposed into content and json output.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.14, 2.9.12 or higher.

    [,2.8.14)[2.9.0,2.9.12)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. When using module_args, tasks executed with check mode (--check-mode) do not properly neutralize sensitive data which would be exposed in the event data. Unauthorized users would be able to read this data.

    How to fix Information Exposure?

    Upgrade ansible to version 2.8.14, 2.9.12 or higher.

    [,2.8.14)[2.9.0,2.9.12)
    • M
    Race Condition

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Race Condition. This flaw refers to the incomplete fix for CVE-2020-1733 insecure temporary directory when running become_user from become directive. This vulnerability is not mitigated fully as there are race conditions from the original flaw could still happen on systems using ACLs and FUSE filesystems.

    How to fix Race Condition?

    Upgrade ansible to version 2.9.10, 2.8.13 or higher.

    [2.9.0b1,2.9.10)[,2.8.13)
    • H
    Directory Traversal

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Directory Traversal. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.

    How to fix Directory Traversal?

    Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

    [2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
    • L
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. When a user executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.

    How to fix Information Exposure?

    Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

    [2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
    • L
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. When a password is set with the argument password of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

    How to fix Information Exposure?

    Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

    [2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. A flaw was found in ldap_attr and ldap_entry community modules for Ansbile. This issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field since nothing in the params field is evaluated for sensitive data.

    How to fix Information Exposure?

    Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

    [2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
    • H
    Arbitrary Code Injection

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Arbitrary Code Injection. The solaris_zone module checks the status of the zone by executing an os.system() call and using the zone name as a parameter. A malicious user could provide a crafted zone name which allows commands to be executed into the server manipulating the module behaviour.

    How to fix Arbitrary Code Injection?

    Upgrade ansible to version 2.9.4 or higher.

    [0,2.9.4)
    • M
    Information Exposure

    ansible is a simple IT automation system.

    Affected versions of this package are vulnerable to Information Exposure. Execution of ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for passwords to appear in EventLogs in plaintext. A malicious user with administrator privileges on the machine can view these logs and discover the plaintext password.

    How to fix Information Exposure?

    Upgrade ansible to version 2.5.12, 2.6.9, 2.7.3 or higher.

    [,2.5.13)[2.6.0,2.6.10)[2.7.0,2.7.4)[2.7.5,2.8.1)