All errata/sisyphus/ALT-PU-2020-1453-2
ALT-PU-2020-1453-2

Package update ansible in branch sisyphus

Version2.8.10-alt1
Task#247669
Published2026-02-04
Max severityHIGH
Severity:

Closed issues (29)

BDU:2020-02164
MEDIUM5.5

Уязвимость системы управления конфигурациями Ansible, связана с раскрытием информации через регистрационные файлы, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2020-05-19Modified: 2024-09-16
CVSS 3.xMEDIUM 5.5
CVSS:3.x/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0LOW 2.1
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N
References
BDU:2020-02200
MEDIUM6.5

Уязвимость системы управления конфигурациями Ansible, связанная с недостаточной проверкой вводимых данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2020-05-21Modified: 2024-09-16
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:N/A:N
References
BDU:2020-03324
MEDIUM6.5

Уязвимость модулей Splunk и Sumologic системы управления конфигурациями Ansible, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации

Published: 2020-07-15Modified: 2026-01-20
CVSS 3.xMEDIUM 6.5
CVSS:3.x/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 2.0MEDIUM 6.8
CVSS:2.0/AV:N/AC:L/Au:S/C:C/I:N/A:N
References
BDU:2020-05681
HIGH7.5

Уязвимость модуля win_unzip системы управления конфигурациями Ansible, связанная с неверным ограничением имени пути к каталогу с ограниченным доступом, позволяющая нарушителю оказать воздействие на конфиденциальность, целостность и доступность защищаемой информации

Published: 2020-12-18Modified: 2024-09-16
CVSS 3.xHIGH 7.5
CVSS:3.x/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
CVSS 2.0HIGH 7.2
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:C/A:C
References
BDU:2020-05829
LOW3.6

Уязвимость системы управления конфигурациями Ansible, связанная с ошибками синхронизации при использовании общего ресурса, позволяющая нарушителю повысить свои привилегии и выполнить произвольный код

Published: 2020-12-24Modified: 2023-11-21
CVSS 2.0LOW 3.6
CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:P/A:P
References
BDU:2021-03714
HIGH7.3

Уязвимость модуля solaris_zone системы управления конфигурациями Ansible, связанная с отсутствием мер по очистке входных данных, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Published: 2021-07-20Modified: 2024-09-16
CVSS 3.xHIGH 7.3
CVSS:3.x/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
CVSS 2.0MEDIUM 6.1
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:P/A:P
References
BDU:2022-00282
MEDIUM5.0

Уязвимость системы управления конфигурациями Ansible, связанная с небезопасными временными файлами, позволяющая нарушителю получить доступ к конфиденциальным данным, нарушить их целостность, а также вызвать отказ в обслуживании

Published: 2022-01-17Modified: 2026-01-20
CVSS 3.xMEDIUM 5.0
CVSS:3.x/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
CVSS 2.0LOW 3.7
CVSS:2.0/AV:L/AC:H/Au:N/C:P/I:P/A:P
References
BDU:2022-00284
LOW3.9

Уязвимость модуля svn системы управления конфигурациями Ansible, связанная с раскрытием информации, позволяющая нарушителю получить доступ к конфиденциальным данным и нарушить их целостность

Published: 2022-01-17Modified: 2026-01-20
CVSS 3.xLOW 3.9
CVSS:3.x/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS 2.0LOW 3.3
CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:N
References
BDU:2022-03971
MEDIUM5.6

Уязвимость модуля nxos_file_copy системы управления конфигурациями Ansible, позволяющая нарушителю выполнить произвольные команды

Published: 2022-06-29Modified: 2025-12-26
CVSS 3.xMEDIUM 5.6
CVSS:3.x/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
CVSS 2.0MEDIUM 5.7
CVSS:2.0/AV:L/AC:L/Au:S/C:C/I:P/A:P
References
CVE-2019-14846
HIGH7.8

In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine 2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

Published: 2019-10-08Modified: 2024-11-21
CVSS 2.0LOW 2.1
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:N/A:N
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2019-14856
MEDIUM6.5

ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None

Published: 2019-11-26Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2019-14864
MEDIUM6.5

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Published: 2020-01-02Modified: 2024-11-21
CVSS 2.0MEDIUM 4.0
CVSS:2.0/AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
CVE-2019-14904
HIGH7.3

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.

Published: 2020-08-26Modified: 2024-11-21
CVSS 2.0MEDIUM 6.1
CVSS:2.0/AV:L/AC:L/Au:N/C:C/I:P/A:P
CVSS 3.xHIGH 7.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
References
CVE-2019-14905
MEDIUM5.6

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

Published: 2020-03-31Modified: 2024-11-21
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xMEDIUM 5.6
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
References
CVE-2020-10684
HIGH7.1

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.

Published: 2020-03-24Modified: 2024-11-21
CVSS 2.0LOW 3.6
CVSS:2.0/AV:L/AC:L/Au:N/C:N/I:P/A:P
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
References
CVE-2020-1733
MEDIUM5.0

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with become user, the temporary directory is created in /var/tmp. This directory is created with "umask 77 && mkdir -p "; this operation does not fail if the directory already exists and is owned by another user. An attacker could take advantage to gain control of the become user as the target directory can be retrieved by iterating '/proc//cmdline'.

Published: 2020-03-11Modified: 2024-11-21
CVSS 2.0LOW 3.7
CVSS:2.0/AV:L/AC:H/Au:N/C:P/I:P/A:P
CVSS 3.xMEDIUM 5.0
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
References
CVE-2020-1737
HIGH7.8

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal. This issue is fixed in 2.10.

Published: 2020-03-09Modified: 2024-11-21
CVSS 2.0MEDIUM 4.6
CVSS:2.0/AV:L/AC:L/Au:N/C:P/I:P/A:P
CVSS 3.xHIGH 7.8
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
References
CVE-2020-1738
LOW3.9

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.

Published: 2020-03-16Modified: 2024-11-21
CVSS 2.0LOW 2.6
CVSS:2.0/AV:L/AC:H/Au:N/C:N/I:P/A:P
CVSS 3.xLOW 3.9
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
References
CVE-2020-1739
LOW3.9

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attacker could take advantage by reading the cmdline file from that particular PID on the procfs.

Published: 2020-03-12Modified: 2024-11-21
CVSS 2.0LOW 3.3
CVSS:2.0/AV:L/AC:M/Au:N/C:P/I:P/A:N
CVSS 3.xLOW 3.9
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
References
GHSA-3m93-m4q6-mc6v
MEDIUM6.5

Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible

Published: 2020-02-26Modified: 2024-09-04
CVSS 3.xMEDIUM 6.5
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
GHSA-6fq2-x65v-v9h7
HIGH7.1

Ansible password prompts could expose passwords

Published: 2022-05-24Modified: 2024-11-18
CVSS 3.xHIGH 7.1
CVSS:3.x/CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CVSS 4.0HIGH 7.1
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References
GHSA-893h-35v4-mxqx
HIGH8.5

Path Traversal in Ansible

Published: 2021-04-20Modified: 2024-09-06
CVSS 3.xHIGH 8.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 8.5
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References
GHSA-923p-fr2c-g5m2
LOW2.4

Exposure of Sensitive Information to an Unauthorized Actor in Ansible

Published: 2021-04-07Modified: 2024-09-06
CVSS 3.xLOW 2.4
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CVSS 4.0LOW 2.4
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
References
GHSA-f85h-23mf-2fwh
LOW1.0

Argument Injection in Ansible

Published: 2022-02-10Modified: 2024-09-06
CVSS 3.xLOW 1.0
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:L/A:L
CVSS 4.0LOW 1.0
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L
References
GHSA-frxj-5j27-f8rf
HIGH7.0

Externally Controlled Reference to a Resource in Another Sphere, Improper Input Validation, and External Control of File Name or Path in Ansible

Published: 2021-04-20Modified: 2024-11-18
CVSS 3.xHIGH 7.0
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
CVSS 4.0HIGH 7.0
CVSS:4.0/CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:N/SI:N/SA:N
References
GHSA-g4mq-6fp5-qwcf
LOW1.0

Ansible vulnerable to Exposure of Resource to Wrong Sphere and Insecure Temporary File

Published: 2021-04-20Modified: 2024-11-18
CVSS 3.xLOW 1.0
CVSS:3.x/CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:L
CVSS 4.0LOW 1.0
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L
References
GHSA-gwr8-5j83-483c
HIGH8.3

OS Command Injection and Improper Input Validation in ansible

Published: 2021-04-20Modified: 2024-09-06
CVSS 3.xHIGH 8.3
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
CVSS 4.0HIGH 8.3
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:L/VA:L/SC:H/SI:L/SA:L
References
GHSA-p62g-jhg6-v3rq
MEDIUM6.9

Code Injection, Race Condition, and Execution with Unnecessary Privileges in Ansible

Published: 2021-04-07Modified: 2024-11-18
CVSS 3.x
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
CVSS 4.0
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N
References
GHSA-pm48-cvv2-29q5
HIGH8.5

Ansible Uses Plugins That Disclose Credentials

Published: 2022-05-24Modified: 2024-09-10
CVSS 3.xHIGH 8.5
CVSS:3.x/CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS 4.0HIGH 8.5
CVSS:4.0/CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References