ALT-PU-2015-1579-2
Closed vulnerabilities
Published: 2015-08-12
Modified: 2025-04-12
Modified: 2025-04-12
CVE-2015-3908
Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Severity: MEDIUM (4.3)Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
References:
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00051.html
- http://lists.opensuse.org/opensuse-updates/2015-08/msg00029.html
- http://www.ansible.com/security
- http://www.openwall.com/lists/oss-security/2015/07/14/4
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00051.html
- http://lists.opensuse.org/opensuse-updates/2015-08/msg00029.html
- http://www.ansible.com/security
- http://www.openwall.com/lists/oss-security/2015/07/14/4
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
Published: 2017-06-07
Modified: 2025-04-20
Modified: 2025-04-20
CVE-2015-6240
The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.
Severity: HIGH (7.2)Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C
Severity: HIGH (7.8)Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References:
- http://www.openwall.com/lists/oss-security/2015/08/17/10
- https://bugzilla.redhat.com/show_bug.cgi?id=1243468
- https://github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647
- https://github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- http://www.openwall.com/lists/oss-security/2015/08/17/10
- https://bugzilla.redhat.com/show_bug.cgi?id=1243468
- https://github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647
- https://github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
Published: 2018-10-10
Modified: 2024-09-04
Modified: 2024-09-04
GHSA-w64c-pxjj-h866
Ansible does not verify that the server hostname matches a domain name in certificates
Severity: HIGH (8.7)Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Severity: HIGH (8.7)Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-3908
- https://github.com/advisories/GHSA-w64c-pxjj-h866
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2015-1.yaml
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- http://lists.opensuse.org/opensuse-updates/2015-07/msg00051.html
- http://lists.opensuse.org/opensuse-updates/2015-08/msg00029.html
- http://www.ansible.com/security
- http://www.openwall.com/lists/oss-security/2015/07/14/4
Published: 2022-05-13
Modified: 2024-08-31
Modified: 2024-08-31
GHSA-wwwh-47wp-m522
Ansible Sandbox Escape via Symlink Attack
Severity: HIGH (8.5)Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity: HIGH (8.5)Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References:
- https://nvd.nist.gov/vuln/detail/CVE-2015-6240
- https://github.com/ansible/ansible/commit/952166f48eb0f5797b75b160fd156bbe1e8fc647
- https://github.com/ansible/ansible/commit/ca2f2c4ebd7b5e097eab0a710f79c1f63badf95b
- https://bugzilla.redhat.com/show_bug.cgi?id=1243468
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2017-3.yaml
- https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
- http://www.openwall.com/lists/oss-security/2015/08/17/10
Closed bugs
Обновить версию