ansible@2.8.20 vulnerabilities

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Credential Exposure in amazon.aws.ec2_instance, which leaks passwords into logs when tower_callback.windows is set. This was resolved in version 5.1.0 of the amazon.aws.ec2_instance module. Note: You're only vulnerable if you're using the amazon.aws collection

Upgrade ansible to version 7.0.0 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure where user credentials are disclosed by default in the traceback error message of set_options.

Upgrade ansible to version 2.9.27 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Command Injection. If a user is trying to put templates in multi-line yaml strings and the facts being handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template.

Upgrade ansible to version 2.9.23 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.

Upgrade ansible to version 2.9.6 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Arbitrary Code Injection. The solaris_zone module checks the status of the zone by executing an os.system() call and using the zone name as a parameter. A malicious user could provide a crafted zone name which allows commands to be executed into the server manipulating the module behaviour.

Upgrade ansible to version 2.9.4 or higher.