CVE Daily
← All tags

Tag: Ansible

All CVEs associated with "Ansible". Page 1/2 • 166 CVEs.

About “Ansible”

A curated feed of “Ansible”-related CVEs appears below. We currently track 166 CVEs for this tag (all time). In the last 365 days, 14 were published. Average CVSS is 6.6 (all time; 6.2 over 365d), and 42% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor, CWE-312 - Cleartext Storage of Sensitive Information, CWE-276 - Incorrect Default Permissions.

In our taxonomy this topic maps to a LOW impact class. Config management tools have broad privileges. Patch servers and agents, use least privilege, sign artifacts, and audit playbooks and modules. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: ansible

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
1313.7.0-
1212.3.0 Expired
1111.13.0 Expired
1010.7.0 Expired
99.13.0 Expired
88.7.0 Expired
77.7.0 Expired
66.7.0 Expired
55.10.0 Expired
44.10.0 Expired
33.4.0 Expired
2.102.10.7 Expired
2.92.9.27 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS  ·  RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Ansible”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-04-08
Medium

CVE-2025-57847

A container privilege escalation flaw was found in certain Ansible Automation Platform images. This issue arises from the /etc/passwd file being created with group-writable permissions during the bui…

CVSS: 6.4 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2026-02-27
Medium

CVE-2025-9909

A flaw was found in the Red Hat Ansible Automation Platform Gateway route creation component. This vulnerability allows credential theft via the creation of misleading routes using a double-slash (//…

CVSS: 6.7 CWE: CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions View on NVD
Medium

CVE-2025-9908

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Streams. This vulnerability allows an authenticated user to gain access to sensitive internal infrastruct…

CVSS: 6.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2025-9907

A flaw was found in the Red Hat Ansible Automation Platform, Event-Driven Ansible (EDA) Event Stream API. This vulnerability allows exposure of sensitive client credentials and internal infrastructur…

CVSS: 6.7 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2026-02-06
Medium

CVE-2026-0598

A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the…

CVSS: 4.2 CWE: CWE-283 - Unverified Ownership View on NVD
2026-01-20
High

CVE-2025-14377

A security issue was discovered within the legacy Ansible playbook component of Verve Asset Manager, caused by plaintext secrets incorrectly stored when a playbook is running. This component has been…

CVSS: 8.8 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2026-01-08
High

CVE-2025-14025

A flaw was found in Ansible Automation Platform (AAP). Read-only scoped OAuth2 API Tokens in AAP, are enforced at the Gateway level for Gateway-specific operations. However, this vulnerability allows…

CVSS: 8.5 CWE: CWE-279 - Incorrect Execution-Assigned Permissions View on NVD
2025-12-04
Medium

CVE-2025-14010

A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when r…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2025-08-04
Medium

CVE-2025-5988

A flaw was found in the Ansible aap-gateway. Cross-site request forgery (CSRF) origin checking is not done on requests from the gateway to external components, such as the controller, hub, and eda.

CVSS: 5.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2025-07-31
Medium

CVE-2025-7738

A flaw was found in Ansible Automation Platform (AAP) where the Gateway API returns the client secret for certain GitHub Enterprise authenticators in clear text. This vulnerability affects administra…

CVSS: 4.4 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2025-07-11
Low

CVE-2025-53862

A flaw was found in Ansible. Three API endpoints are accessible and return verbose, unauthenticated responses. This flaw allows a malicious user to access data that may contain important information.

CVSS: 3.5 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
Low

CVE-2025-53861

A flaw was found in Ansible. Sensitive cookies without security flags over non-encrypted channels can lead to Man-in-the-Middle (MitM) and Cross-site scripting (XSS) attacks allowing attackers to rea…

CVSS: 3.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2025-06-30
High

CVE-2025-49521

A flaw was found in the EDA component of the Ansible Automation Platform, where user-supplied Git branch or refspec values are evaluated as Jinja2 templates. This vulnerability allows authenticated u…

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
High

CVE-2025-49520

A flaw was found in Ansible Automation Platform’s EDA component where user-supplied Git URLs are passed unsanitized to the git ls-remote command. This vulnerability allows an authenticated attacker t…

CVSS: 8.8 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
2025-03-28
Medium

CVE-2025-2877

A flaw was found in the Ansible Automation Platform's Event-Driven Ansible. In configurations where verbosity is set to "debug", inventory passwords are exposed in plain text when starting a rulebook…

CVSS: 6.5 CWE: CWE-1295 - Debug Messages Revealing Unnecessary Information View on NVD
2025-03-03
High

CVE-2025-1801

A flaw was found in the Ansible aap-gateway. Concurrent requests handled by the gateway grpc service can result in concurrency issues due to race condition requests against the proxy. This issue pote…

CVSS: 8.1 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
2024-11-29
High

CVE-2024-53979

ibm.ibm_zhmc is an Ansible collection for the IBM Z HMC. The Ansible collection "ibm.ibm_zhmc" writes password-like properties in clear text into its log file and into the output returned by some of…

CVSS: 8.2 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2024-11-25
Medium

CVE-2024-11483

A vulnerability was found in the Ansible Automation Platform (AAP). This flaw allows attackers to escalate privileges by improperly leveraging read-scoped OAuth2 tokens to gain write access. This iss…

CVSS: 5.0 CWE: CWE-284 - Improper Access Control View on NVD
2024-11-12
Medium

CVE-2024-11079

A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to…

CVSS: 5.5 CWE: CWE-20 - Improper Input Validation View on NVD
2024-11-06
Medium

CVE-2024-9902

A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a pr…

CVSS: 6.3 CWE: CWE-863 - Incorrect Authorization View on NVD
2024-10-08
Medium

CVE-2024-9620

A flaw was found in Event-Driven Automation (EDA) in Ansible Automation Platform (AAP), which lacks encryption of sensitive information. An attacker with network access could exploit this vulnerabili…

CVSS: 5.3 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2024-09-14
Medium

CVE-2024-8775

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_var…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2024-09-12
Medium

CVE-2024-6840

An improper authorization flaw exists in the Ansible Automation Controller. This flaw allows an attacker using the k8S API server to send an HTTP request with a service account token mounted via `aut…

CVSS: 6.6 CWE: CWE-285 - Improper Authorization View on NVD
2024-07-18
Critical

CVE-2024-40629

JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints throu…

CVSS: 10.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Critical

CVE-2024-40628

JumpServer is an open-source Privileged Access Management (PAM) tool that provides DevOps and IT teams with on-demand and secure access to SSH, RDP, Kubernetes, Database and RemoteApp endpoints throu…

CVSS: 10.0 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2024-05-28
High

CVE-2024-36110

ansibleguy-webui is an open source WebUI for using Ansible. Multiple forms in versions < 0.0.21 allowed injection of HTML elements. These are returned to the user after executing job actions and thus…

CVSS: 8.2 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2024-04-25
High

CVE-2024-1657

A flaw was found in the ansible automation platform. An insecure WebSocket connection was being used in installation from the Ansible rulebook EDA server. An attacker that has access to any machine i…

CVSS: 8.1 CWE: CWE-319 - Cleartext Transmission of Sensitive Information View on NVD
2024-03-29
Critical

CVE-2024-29202

JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can exploit a Jinja2 template injection vulnerability in JumpServer's Ansible to execute ar…

CVSS: 9.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
Critical

CVE-2024-29201

JumpServer is an open source bastion host and an operation and maintenance security audit system. Attackers can bypass the input validation mechanism in JumpServer's Ansible to execute arbitrary code…

CVSS: 9.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2024-02-06
Medium

CVE-2024-0690

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks,…

CVSS: 5.0 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
2023-12-18
Medium

CVE-2023-5115

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used…

CVSS: 6.3 CWE: CWE-36 - Absolute Path Traversal View on NVD
2023-12-12
High

CVE-2023-5764

A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use…

CVSS: 7.1 CWE: CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine View on NVD
2023-11-14
Medium

CVE-2023-5189

A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink coul…

CVSS: 6.3 CWE: CWE-23 - Relative Path Traversal View on NVD
2023-10-04
Medium

CVE-2023-4380

A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the creden…

CVSS: 6.3 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
High

CVE-2023-4237

A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch…

CVSS: 7.3 CWE: CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere View on NVD
2023-08-28
High

CVE-2023-39059

An issue in ansible semaphore v.2.8.90 allows a remote attacker to execute arbitrary code via a crafted payload to the extra variables parameter.

CVSS: 8.8 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2023-05-16
Medium

CVE-2023-32983

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CVSS: 5.3 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
Medium

CVE-2023-32982

Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read pe…

CVSS: 4.3 CWE: CWE-311 - Missing Encryption of Sensitive Data View on NVD
2023-03-23
Medium

CVE-2022-3146

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute forc…

CVSS: 5.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2022-3101

A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute forc…

CVSS: 5.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2023-03-18
Critical

CVE-2023-28609

api/auth.go in Ansible Semaphore before 2.8.89 mishandles authentication.

CVSS: 9.8 CWE: CWE-287 - Improper Authentication View on NVD
2023-01-02
Low

CVE-2014-125036

A vulnerability, which was classified as problematic, has been found in drybjed ansible-ntp. Affected by this issue is some unknown functionality of the file meta/main.yml. The manipulation leads to…

CVSS: 2.6 CWE: CWE-406 - Insufficient Control of Network Message Volume (Network Amplification) View on NVD
2022-10-28
High

CVE-2022-3697

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue…

CVSS: 7.5 CWE: CWE-233 - Improper Handling of Parameters View on NVD
2022-10-25
Medium

CVE-2022-3644

The collection remote for pulp_ansible stores tokens in plaintext instead of using pulp's encrypted field and exposes them in read/write mode via the API () instead of marking it as write only.

CVSS: 5.5 CWE: CWE-256 - Plaintext Storage of a Password View on NVD
2022-09-13
Medium

CVE-2022-3205

Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection

CVSS: 4.6 CWE: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') View on NVD
2022-08-25
High

CVE-2021-4112

A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX user…

CVSS: 8.8 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2022-08-24
High

CVE-2021-4041

A flaw was found in ansible-runner. An improper escaping of the shell command, while calling the ansible_runner.interface.run_command, can lead to parameters getting executed as host's shell command.…

CVSS: 7.8 CWE: CWE-20 - Improper Input Validation View on NVD
2022-08-23
Medium

CVE-2021-3702

A race condition flaw was found in ansible-runner, where an attacker could watch for rapid creation and deletion of a temporary directory, substitute their directory at that name, and then have acces…

CVSS: 6.3 CWE: CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') View on NVD
Medium

CVE-2021-3701

A flaw was found in ansible-runner where the default temporary files configuration in ansible-2.0.0 are written to world R/W locations. This flaw allows an attacker to pre-create the directory, resul…

CVSS: 6.6 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2022-08-18
Medium

CVE-2022-2568

A privilege escalation flaw was found in the Ansible Automation Platform. This flaw allows a remote authenticated user with 'change user' permissions to modify the account settings of the superuser a…

CVSS: 6.5 CWE: CWE-269 - Improper Privilege Management View on NVD
2022-07-14
Medium

CVE-2022-1662

In convert2rhel, there's an ansible playbook named ansible/run-convert2rhel.yml which passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. This could allow unauthorized…

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2022-04-18
Medium

CVE-2021-3681

A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.ym…

CVSS: 5.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2022-03-23
High

CVE-2021-3589

An authorization flaw was found in Foreman Ansible. An authenticated attacker with certain permissions to create and run Ansible jobs can access hosts through job templates. The highest threat from t…

CVSS: 8.0 CWE: CWE-306 - Missing Authentication for Critical Function View on NVD
2022-03-16
Medium

CVE-2021-20180

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2022-03-03
Medium

CVE-2021-3620

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest th…

CVSS: 5.5 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
2021-09-29
Critical

CVE-2021-33924

Confluent Ansible (cp-ansible) version 5.5.0, 5.5.1, 5.5.2 and 6.0.0 is vulnerable to Incorrect Access Control via its auxiliary component that allows remote attackers to access sensitive information.

CVSS: 9.8 CWE: CWE-862 - Missing Authorization View on NVD
Medium

CVE-2021-33923

Insecure permissions in Confluent Ansible (cp-ansible) 5.5.0, 5.5.1, 5.5.2 and 6.0.0 allows local attackers to access some sensitive information (private keys, state database).

CVSS: 5.5 CWE: CWE-276 - Incorrect Default Permissions View on NVD
2021-09-22
High

CVE-2021-3583

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-lin…

CVSS: 7.1 CWE: CWE-20 - Improper Input Validation View on NVD
2021-06-11
High

CVE-2021-21382

Restund is an open source NAT traversal server. The restund TURN server can be instructed to open a relay to the loopback address range. This allows you to reach any other service running on localhos…

CVSS: 8.6 CWE: CWE-668 - Exposure of Resource to Wrong Sphere View on NVD
2021-05-28
High

CVE-2020-1716

A flaw was found in the ceph-ansible playbook where it contained hardcoded passwords that were being used as default passwords while deploying Ceph services. Any authenticated attacker can abuse this…

CVSS: 8.8 CWE: CWE-798 - Use of Hard-coded Credentials View on NVD
2021-05-27
Low

CVE-2020-14329

A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint. This flaw allows users from other organizations in the…

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Low

CVE-2020-14328

A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal ser…

CVSS: 3.3 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2020-14327

A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the s…

CVSS: 5.5 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
Medium

CVE-2020-10729

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since…

CVSS: 5.5 CWE: CWE-330 - Use of Insufficiently Random Values View on NVD
Medium

CVE-2020-10716

A flaw was found in Red Hat Satellite's Job Invocation, where the "User Input" entry was not properly restricted to the view. This flaw allows a malicious Satellite user to scan through the Job Invoc…

CVSS: 6.5 CWE: CWE-285 - Improper Authorization View on NVD
High

CVE-2020-10709

A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain a…

CVSS: 7.1 CWE: CWE-287 - Improper Authentication View on NVD
Low

CVE-2020-10698

A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclosed…

CVSS: 3.3 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Medium

CVE-2020-10697

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a denia…

CVSS: 4.4 CWE: CWE-862 - Missing Authorization View on NVD
2021-05-26
Medium

CVE-2021-20191

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage o…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
Medium

CVE-2021-20178

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2021-05-06
High

CVE-2021-31918

A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerab…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-04-29
High

CVE-2021-20228

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This…

CVSS: 7.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2021-04-01
Medium

CVE-2021-3447

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controlle…

CVSS: 5.5 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2021-03-24
High

CVE-2019-19350

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ansible-service-broker as shipped in Red Hat Openshift 4 and 3.11. An attacker with access to the container c…

CVSS: 7.8 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2021-03-09
Medium

CVE-2021-20253

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside…

CVSS: 6.7 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2021-01-20
Medium

CVE-2020-26278

Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vul…

CVSS: 5.8 CWE: CWE-250 - Execution with Unnecessary Privileges View on NVD
2020-12-08
Medium

CVE-2020-25677

A flaw was found in Ceph-ansible v4.0.41 where it creates an /etc/ceph/iscsi-gateway.conf with insecure default permissions. This flaw allows any user on the system to read sensitive information with…

CVSS: 5.5 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
2020-12-02
Medium

CVE-2020-14369

This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently au…

CVSS: 6.3 CWE: CWE-352 - Cross-Site Request Forgery (CSRF) View on NVD
2020-11-04
Medium

CVE-2020-2310

Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVSS: 4.3 CWE: N/A View on NVD
2020-10-29
High

CVE-2020-25646

A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality

CVSS: 7.5 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
2020-10-05
Medium

CVE-2020-25635

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. Th…

CVSS: 5.0 CWE: CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer View on NVD
Medium

CVE-2020-25636

A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to hav…

CVSS: 6.6 CWE: CWE-377 - Insecure Temporary File View on NVD
2020-09-23
High

CVE-2020-14365

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during…

CVSS: 7.1 CWE: CWE-347 - Improper Verification of Cryptographic Signature View on NVD
2020-09-11
Medium

CVE-2020-14332

A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unau…

CVSS: 5.5 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
Medium

CVE-2020-14330

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the…

CVSS: 5.0 CWE: CWE-532 - Insertion of Sensitive Information into Log File View on NVD
2020-08-26
High

CVE-2019-14904

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' b…

CVSS: 7.3 CWE: CWE-20 - Improper Input Validation View on NVD
2020-08-11
High

CVE-2020-14296

Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. With the access to add Ansible Tower provider, an attacker could scan and attack systems from the internal netw…

CVSS: 7.1 CWE: CWE-918 - Server-Side Request Forgery (SSRF) View on NVD
2020-06-18
Medium

CVE-2020-10782

An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, w…

CVSS: 6.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-05-15
Medium

CVE-2020-10744

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the…

CVSS: 5.0 CWE: CWE-377 - Insecure Temporary File View on NVD
2020-05-12
Medium

CVE-2020-1746

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-05-11
Medium

CVE-2020-10685

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 an…

CVSS: 5.0 CWE: CWE-459 - Incomplete Cleanup View on NVD
2020-04-30
Medium

CVE-2020-10691

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is cr…

CVSS: 5.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-04-24
Medium

CVE-2020-1741

A flaw was found in openshift-ansible. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installation. An attacker, able to man-in-the-midd…

CVSS: 5.9 CWE: CWE-185 - Incorrect Regular Expression View on NVD
2020-04-03
Critical

CVE-2018-17954

An Improper Privilege Management in crowbar of SUSE OpenStack Cloud 7, SUSE OpenStack Cloud 8, SUSE OpenStack Cloud 9, SUSE OpenStack Cloud Crowbar 8, SUSE OpenStack Cloud Crowbar 9 allows root users…

CVSS: 9.3 CWE: CWE-269 - Improper Privilege Management View on NVD
2020-03-31
Medium

CVE-2019-14905

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a f…

CVSS: 5.6 CWE: CWE-20 - Improper Input Validation View on NVD
2020-03-24
High

CVE-2020-10684

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable wh…

CVSS: 7.9 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2020-03-18
High

CVE-2019-19355

An insecure modification vulnerability in the /etc/passwd file was found in the openshift/ocp-release-operator-sdk. An attacker with access to the container could use this flaw to modify /etc/passwd…

CVSS: 7.0 CWE: CWE-266 - Incorrect Privilege Assignment View on NVD
2020-03-16
Low

CVE-2020-1740

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret,…

CVSS: 3.9 CWE: CWE-377 - Insecure Temporary File View on NVD
Low

CVE-2020-1738

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be se…

CVSS: 3.9 CWE: CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') View on NVD
Low

CVE-2020-1736

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does n…

CVSS: 2.2 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
Medium

CVE-2020-1735

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All ver…

CVSS: 4.2 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
Medium

CVE-2020-1753

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubern…

CVSS: 5.0 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-03-12
Low

CVE-2020-1739

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to oth…

CVSS: 3.9 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
2020-03-11
Medium

CVE-2020-1733

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user. When Ansible needs to run a module with…

CVSS: 5.0 CWE: CWE-377 - Insecure Temporary File View on NVD
2020-03-09
High

CVE-2020-1737

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belon…

CVSS: 7.5 CWE: CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') View on NVD
2020-03-03
High

CVE-2020-1734

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variabl…

CVSS: 7.4 CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') View on NVD
2020-02-20
Medium

CVE-2014-4659

Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "d…

CVSS: 5.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
Medium

CVE-2014-4658

The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file.

CVSS: 5.5 CWE: CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor View on NVD
Critical

CVE-2014-4657

The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions.

CVSS: 9.8 CWE: CWE-20 - Improper Input Validation View on NVD
Critical

CVE-2014-4678

The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute arbitrary code via crafted instructions. NOTE: this vulnerability e…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Medium

CVE-2014-4660

Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow local users to obtain sensitive credential information in op…

CVSS: 5.5 CWE: CWE-522 - Insufficiently Protected Credentials View on NVD
2020-02-18
Critical

CVE-2014-4967

Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access to an Ansible managed host and providing a crafted fact, as d…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
Critical

CVE-2014-4966

Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{" substrings, which allows remote attackers to execute arbitrary code…

CVSS: 9.8 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2020-01-09
High

CVE-2014-2686

Ansible prior to 1.5.4 mishandles the evaluation of some strings.

CVSS: 7.5 CWE: CWE-670 - Always-Incorrect Control Flow Implementation View on NVD
2020-01-02
Medium

CVE-2019-14864

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used…

CVSS: 6.5 CWE: CWE-117 - Improper Output Neutralization for Logs View on NVD
2019-12-19
Medium

CVE-2019-19342

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the password contains the '#' character. This request would cause a socket erro…

CVSS: 5.3 CWE: CWE-209 - Generation of Error Message Containing Sensitive Information View on NVD
Medium

CVE-2019-19341

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These files include both the SECRET_KEY and the database backup. Any user w…

CVSS: 5.5 CWE: CWE-732 - Incorrect Permission Assignment for Critical Resource View on NVD
High

CVE-2019-19340

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting it with '-e rabbitmq_enable_manager=true' exposes the RabbitMQ manage…

CVSS: 8.2 CWE: CWE-1188 - Initialization of a Resource with an Insecure Default View on NVD
2019-11-26
Medium

CVE-2019-14856

ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None

CVSS: 6.5 CWE: CWE-287 - Improper Authentication View on NVD
High

CVE-2019-14890

A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and passwords credentials from the new RHSM saved in plain text into the database…

CVSS: 8.4 CWE: CWE-312 - Cleartext Storage of Sensitive Information View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox