ansible@2.9.9 vulnerabilities

Radically simple IT automation

latest version

11.1.0

latest non vulnerable version

first published

11 years ago

latest version published

19 days ago

licenses detected

GPL-3.0
[0,)

View ansible package health on Snyk Advisor (opens in a new tab)

Go back to all versions of this package

Report a new vulnerability Found a mistake?

Direct Vulnerabilities

Known vulnerabilities in the ansible package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Vulnerability	Vulnerable Version
M Credential Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Credential Exposure in `amazon.aws.ec2_instance`, which leaks passwords into logs when `tower_callback.windows` is set. This was resolved in version 5.1.0 of the `amazon.aws.ec2_instance` module. Note: You're only vulnerable if you're using the `amazon.aws` collection How to fix Credential Exposure? Upgrade `ansible` to version 7.0.0 or higher.	[2.5.0,7.0.0)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure where user credentials are disclosed by default in the traceback error message of `set_options`. How to fix Information Exposure? Upgrade `ansible` to version 2.9.27 or higher.	[,2.9.27)
M Command Injection ansible is a simple IT automation system. Affected versions of this package are vulnerable to Command Injection. If a user is trying to put templates in multi-line yaml strings and the facts being handled don't routinely include special template characters, then their controller will be vulnerable to a template injection through the facts used in template. How to fix Command Injection? Upgrade `ansible` to version 2.9.23 or higher.	[,2.9.23)
H Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. Logging with ansible is set at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process. How to fix Information Exposure? Upgrade `ansible` to version 2.9.12, 2.8.6, 2.10.0, 2.7.14 or higher.	[2.9.0,2.9.12)[2.8.0,2.8.6)[2.10.0a1,2.10.0)[,2.7.14)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. In several modules parameters containing credentials are being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These parameters were not protected by the `no_log` feature. An attacker can take advantage of this information to steal those credentials, provided they have access to the log files containing them. How to fix Information Exposure? Upgrade `ansible` to version 2.8.20, 2.9.20 or higher.	[0,2.8.20)[2.9.0,2.9.20)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. It leaks sensitive info such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution. How to fix Information Exposure? Upgrade `ansible` to version 2.8.19, 2.9.18 or higher.	[,2.8.19)[2.9.0,2.9.18)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. The return value of a specific module i.e. `basic.py` of ansible engine is not being masked by default while using the fallback `sub-option`.The return value may contain sensitive info like secret Or Credentials. How to fix Information Exposure? Upgrade `ansible` to version 2.8.19, 2.9.18, 2.10.7 or higher.	[,2.8.19)[2.9.0,2.9.18)[2.10.0,2.10.7)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. `snmp_facts` leaks user authentication such as `authKey` and `privKey`. This could lead in disclosing those credentials for every user which has access to the output of playbook execution. How to fix Information Exposure? Upgrade `ansible` to version 2.8.19, 2.9.18 or higher.	[,2.8.19)[2.9.0,2.9.18)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. A few different modules in Ansible-collection leaks sensitive data such as secret values. This could lead in disclosing those credentials for every user which has access to the output of playbook execution. How to fix Information Exposure? Upgrade `ansible` to version 2.8.19, 2.9.18 or higher.	[,2.8.19)[2.9.0,2.9.18)
H Improper Verification of Cryptographic Signature ansible is a simple IT automation system. Affected versions of this package are vulnerable to Improper Verification of Cryptographic Signature. A flaw was found in the Ansible Engine when installing packages using the dnf module. GPG signatures are ignored during installation even when `disable_gpg_check` is set to False, which is the default behaviour. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. The highest threat from this vulnerability is to integrity and system availability. How to fix Improper Verification of Cryptographic Signature? Upgrade `ansible` to version 2.8.15, 2.9.13 or higher.	[2.8.0,2.8.15)[2.9.0,2.9.13)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. When using uri module keys are not properly masked and sensitive data is exposed into content and json output. How to fix Information Exposure? Upgrade `ansible` to version 2.8.14, 2.9.12 or higher.	[,2.8.14)[2.9.0,2.9.12)
M Information Exposure ansible is a simple IT automation system. Affected versions of this package are vulnerable to Information Exposure. When using `module_args`, tasks executed with check mode (--check-mode) do not properly neutralize sensitive data which would be exposed in the event data. Unauthorized users would be able to read this data. How to fix Information Exposure? Upgrade `ansible` to version 2.8.14, 2.9.12 or higher.	[,2.8.14)[2.9.0,2.9.12)
M Race Condition ansible is a simple IT automation system. Affected versions of this package are vulnerable to Race Condition. This flaw refers to the incomplete fix for `CVE-2020-1733` insecure temporary directory when running `become_user` from `become` directive. This vulnerability is not mitigated fully as there are race conditions from the original flaw could still happen on systems using ACLs and FUSE filesystems. How to fix Race Condition? Upgrade `ansible` to version 2.9.10, 2.8.13 or higher.	[2.9.0b1,2.9.10)[,2.8.13)

Go back to all versions of this package