ansible@2.9.1 vulnerabilities

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure where user credentials are disclosed by default in the traceback error message of set_options.

Upgrade ansible to version 2.9.27 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Command Injection. If a user is trying to put templates in multi-line yaml strings and the facts being handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template.

Upgrade ansible to version 2.9.23 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file.

Upgrade ansible to version 2.9.6 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When managing kubernetes using the k8s module, sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect, making these secrets being disclosed on stdout and log files.

Upgrade ansible to version 2.9.7, 2.8.11, 2.7.17 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. Logging with ansible is set at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

Upgrade ansible to version 2.9.12, 2.8.6, 2.10.0, 2.7.14 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. In several modules parameters containing credentials are being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the no_log feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them.

Upgrade ansible to version 2.8.20, 2.9.20 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. It leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

Upgrade ansible to version 2.8.19, 2.9.18 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. The return value of a specific module i.e. basic.py of ansible engine is not being masked by default while using the fallback sub-option.The return value may contain sensitive info like secret Or Credentials.

Upgrade ansible to version 2.8.19, 2.9.18, 2.10.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. snmp_facts leaks user authentication such as authKey and privKey. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

Upgrade ansible to version 2.8.19, 2.9.18 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. A few different modules in Ansible-collection leaks sensitive data such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution.

Upgrade ansible to version 2.8.19, 2.9.18 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when disable_gpg_check is set to False, which is the default behaviour. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability.

Upgrade ansible to version 2.8.15, 2.9.13 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When using uri module keys are not properly masked and sensitive data is exposed into content and json output.

Upgrade ansible to version 2.8.14, 2.9.12 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When using module_args, tasks executed with check mode (--check-mode) do not properly neutralize sensitive data which would be exposed in the event data. Unauthorized users would be able to read this data.

Upgrade ansible to version 2.8.14, 2.9.12 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Race Condition. This flaw refers to the incomplete fix for CVE-2020-1733 insecure temporary directory when running become_user from become directive. This vulnerability is not mitigated fully as there are race conditions from the original flaw could still happen on systems using ACLs and FUSE filesystems.

Upgrade ansible to version 2.9.10, 2.8.13 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Credential Exposure. When using modules which decrypt vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the secrets unencrypted. On Operating Systems in which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp remains when the host is switched off. The system will be vulnerable when the system is not running.

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Insecure Permissions within ansible-engine when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.

Upgrade ansible to version 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It allows using ansible _facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean.

Upgrade ansible to version 2.7.17, 2.8.9, 2.9.6 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Directory Traversal. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node.

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When a user executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely.

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Arbitrary Code Execution. A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file.

Both package and service modules use facts to determine the name of the module to run if use is not passed to the module. The ansible_facts['pkg_mgr'] and ansible_facts['service_mgr'] facts could be set to another module name or a module name installed in a collection such as ansible_collections.namespace.name./tmp/reverse-shell, which would allow arbitrary code execution on the managed node.

Note The maintainer disputes this vulnerability

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data.

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Race Condition. A race condition flaw exists when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with umask 77 && mkdir -p <dir>;. This operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating /proc/<pid>/cmdline.

Upgrade ansible to version 2.7.17, 2.8.9, 2.9.6 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When a password is set with the argument password of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Arbitrary File Write via Archive Extraction (Zip Slip). A flaw was found when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.

Upgrade ansible to version 2.7.17, 2.8.9, 2.9.6 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Arbitrary Command Execution. The pipe lookup plugin uses shell=True by default. If a variable is passed to the pipe lookup, that variable could be overridden via facts, leading to arbitrary code execution.

Note The maintainer disputes this vulnerability

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. A flaw was found in ldap_attr and ldap_entry community modules for Ansbile. This issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field since nothing in the params field is evaluated for sensitive data.

Upgrade ansible to version 2.7.17, 2.8.11, 2.9.7 or higher.

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Arbitrary Code Execution. Filenames in the nxos_file_copy module are used to perform actions to copy files to a flash or bootflash on NXOS devices. nxos_file_copy uses the remote_file parameter to determine the files destination. Malicious code could craft the filename parameter to take advantage of this by performing an OS command injection.

Upgrade ansible to version 2.9.3, 2.8.8, 2.7.16 or higher.