National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

Search Results (Refine Search)

Search Parameters:
  • Contains Software Flaws (CVE)
  • CPE Product Version: cpe:/a:redhat:ansible_engine:2.5
There are 5 matching records.
Vuln ID Summary CVSS Severity
CVE-2018-16876

ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.

Published: January 03, 2019; 10:29:01 AM -05:00
V3: 7.5 HIGH
V2: 5.0 MEDIUM
CVE-2018-16859

Execution of Ansible playbooks on Windows platforms with PowerShell ScriptBlock logging and Module logging enabled can allow for 'become' passwords to appear in EventLogs in plaintext. A local user with administrator privileges on the machine can view these logs and discover the plaintext password. Ansible Engine 2.8 and older are believed to be vulnerable.

Published: November 29, 2018; 01:29:00 PM -05:00
V3: 4.4 MEDIUM
V2: 2.1 LOW
CVE-2018-16837

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list.

Published: October 23, 2018; 11:29:00 AM -04:00
V3: 7.8 HIGH
V2: 2.1 LOW
CVE-2018-10875

A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code.

Published: July 13, 2018; 06:29:00 PM -04:00
V3: 9.8 CRITICAL
V2: 7.5 HIGH
CVE-2018-10874

In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.

Published: July 02, 2018; 09:29:00 AM -04:00
V3: 7.8 HIGH
V2: 4.6 MEDIUM