ansible@2.9.0b1 vulnerabilities

Radically simple IT automation

latest version

11.1.0

latest non vulnerable version

first published

11 years ago

latest version published

19 days ago

licenses detected

GPL-3.0
[0,)

View ansible package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ansible package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Credential Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Credential Exposure in `amazon.aws.ec2_instance`, which leaks passwords into logs when `tower_callback.windows` is set. This was resolved in version 5.1.0 of the `amazon.aws.ec2_instance` module. Note: You're only vulnerable if you're using the `amazon.aws` collection How to fix Credential Exposure? Upgrade `ansible` to version 7.0.0 or higher.	[2.5.0,7.0.0)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure where user credentials are disclosed by default in the traceback error message of `set_options`. How to fix Information Exposure? Upgrade `ansible` to version 2.9.27 or higher.	[,2.9.27)
M Command Injection ansible is a simple IT automation system. Affected versions of this package are vulnerable to Command Injection. If a user is trying to put templates in multi-line yaml strings and the facts being handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template. How to fix Command Injection? Upgrade `ansible` to version 2.9.23 or higher.	[,2.9.23)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. How to fix Information Exposure? Upgrade `ansible` to version 2.9.6 or higher.	[,2.9.6)
M Race Condition ansible is a simple IT automation system. Affected versions of this package are vulnerable to Race Condition. This flaw refers to the incomplete fix for `CVE-2020-1733` insecure temporary directory when running `become_user` from `become` directive. This vulnerability is not mitigated fully as there are race conditions from the original flaw could still happen on systems using ACLs and FUSE filesystems. How to fix Race Condition? Upgrade `ansible` to version 2.9.10, 2.8.13 or higher.	[2.9.0b1,2.9.10)[,2.8.13)
H Directory Traversal ansible is a simple IT automation system. Affected versions of this package are vulnerable to Directory Traversal. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. How to fix Directory Traversal? Upgrade `ansible` to version 2.7.17, 2.8.11, 2.9.7 or higher.	[2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
L Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. When a user executes `ansible-vault edit`, another user on the same computer can read the old and new secret, as it is created in a temporary file with `mkstemp` and the returned file descriptor is closed and the method `write_data` is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. How to fix Information Exposure? Upgrade `ansible` to version 2.7.17, 2.8.11, 2.9.7 or higher.	[2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
L Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. When a password is set with the argument `password` of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the `cmdline` file from that particular PID on the procfs. How to fix Information Exposure? Upgrade `ansible` to version 2.7.17, 2.8.11, 2.9.7 or higher.	[2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. A flaw was found in `ldap_attr` and `ldap_entry` community modules for Ansbile. This issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the `bind_pw` in the parameters field since nothing in the params field is evaluated for sensitive data. How to fix Information Exposure? Upgrade `ansible` to version 2.7.17, 2.8.11, 2.9.7 or higher.	[2.7.0,2.7.17)[2.8.0a1,2.8.11)[2.9.0b1,2.9.7)
H Arbitrary Code Injection ansible is a simple IT automation system. Affected versions of this package are vulnerable to Arbitrary Code Injection. The `solaris_zone` module checks the status of the zone by executing an `os.system()` call and using the zone name as a parameter. A malicious user could provide a crafted zone name which allows commands to be executed into the server manipulating the module behaviour. How to fix Arbitrary Code Injection? Upgrade `ansible` to version 2.9.4 or higher.	[0,2.9.4)
L Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. Splunk and Sumologic callback plugins leak sensitive data in logs. How to fix Information Exposure? Upgrade `ansible` to version 2.9.1, 2.8.7, 2.7.15 or higher.	[2.9.0b1,2.9.1)[2.8.0,2.8.7)[,2.7.15)

Go back to all versions of this package