U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:redhat:ansible:0.8:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 29 matching records.
Displaying matches 21 through 29.
Vuln ID Summary CVSS Severity
CVE-2016-8628

Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as.

Published: July 31, 2018; 4:29:00 PM -0400
V3.0: 9.1 CRITICAL
V2.0: 9.0 HIGH
CVE-2017-7466

Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Published: June 22, 2018; 9:29:00 AM -0400
V3.0: 8.0 HIGH
V2.0: 8.5 HIGH
CVE-2013-2233

Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.

Published: May 04, 2018; 4:29:00 PM -0400
V3.0: 7.4 HIGH
V2.0: 5.8 MEDIUM
CVE-2016-9587

Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. An attacker with control over a client system being managed by Ansible and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges.

Published: April 24, 2018; 12:29:00 PM -0400
V3.1: 8.1 HIGH
V2.0: 9.3 HIGH
CVE-2014-3498

The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.

Published: June 08, 2017; 2:29:00 PM -0400
V3.0: 8.8 HIGH
V2.0: 6.5 MEDIUM
CVE-2015-6240

The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack.

Published: June 07, 2017; 4:29:00 PM -0400
V3.0: 7.8 HIGH
V2.0: 7.2 HIGH
CVE-2016-3096

The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived container in the archive_path directory, or the (3) lxc-attach-script.log or (4) lxc-attach-script.err files in the temporary directory.

Published: June 03, 2016; 10:59:04 AM -0400
V3.0: 7.8 HIGH
V2.0: 7.2 HIGH
CVE-2015-3908

Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Published: August 12, 2015; 10:59:21 AM -0400
V3.x:(not available)
V2.0: 4.3 MEDIUM
CVE-2013-4259

runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a symlink attack on a socket file with a predictable name in /tmp/.

Published: September 16, 2013; 3:14:39 PM -0400
V3.x:(not available)
V2.0: 1.9 LOW