Ansible — CVE history (PyPI)
Ansible
48 CVEs affect the Ansible PyPI package (highest CVSS 9.8). Latest disclosed: 2022-04-18. Full CVE history sourced from NVD.
Summary
- Package
Ansible(PyPI)- Total CVEs
48- Actively exploited (CISA KEV)
- 0
- Highest CVSS
9.8- Latest disclosed
- 2022-04-18
Recent CVEs (top 20)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2021-3681 | — | — | — | 2022-04-18 | A flaw was found in Ansible Galaxy Collections. |
CVE-2021-20180 | — | — | — | 2022-03-16 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. |
CVE-2021-3620 | — | — | — | 2022-03-03 | A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. |
CVE-2021-3583 | — | — | — | 2021-09-22 | A flaw was found in Ansible, where a user's controller is vulnerable to template injection. |
CVE-2020-10729 | — | — | — | 2021-05-27 | A flaw was found in the use of insufficiently random values in Ansible. |
CVE-2021-20191 | — | — | — | 2021-05-26 | A flaw was found in ansible. |
CVE-2021-20178 | — | — | — | 2021-05-26 | A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. |
CVE-2021-20228 | — | — | — | 2021-04-29 | A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. |
CVE-2021-3447 | — | — | — | 2021-04-01 | A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. |
CVE-2020-14365 | — | — | — | 2020-09-23 | A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when installing packages using the dnf module. |
CVE-2020-14332 | Medium | 5.5 | — | 2020-09-11 | A flaw was found in the Ansible Engine when using module_args. |
CVE-2020-14330 | Medium | 5.0 | — | 2020-09-11 | An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. |
CVE-2019-14904 | — | — | — | 2020-08-25 | A flaw was found in the solaris_zone module from the Ansible Community modules. |
CVE-2020-10744 | Medium | 5.0 | — | 2020-05-15 | An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. |
CVE-2020-1746 | Medium | 5.0 | — | 2020-05-12 | A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr… |
CVE-2020-10685 | Medium | 5.0 | — | 2020-05-11 | A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules whi… |
CVE-2020-10691 | Medium | 5.2 | — | 2020-04-30 | An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. |
CVE-2019-14905 | High | 7.3 | — | 2020-03-31 | A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. |
CVE-2020-10684 | High | 7.9 | — | 2020-03-24 | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the an… |
CVE-2020-1738 | Low | 3.9 | — | 2020-03-16 | A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. |
All-time worst (top 10 by CVSS)
| CVE | Severity | CVSS | KEV | Published | Summary |
|---|---|---|---|---|---|
CVE-2017-7550 | Critical | 9.8 | — | 2017-11-21 | A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. |
CVE-2014-3498 | High | 8.8 | — | 2017-06-08 | The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands. |
CVE-2020-10684 | High | 7.9 | — | 2020-03-24 | A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the an… |
CVE-2015-6240 | High | 7.8 | — | 2017-06-07 | The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink attack. |
CVE-2016-3096 | High | 7.8 | — | 2016-06-03 | The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to arbitrary files or gain privileges via a symlink attack on (1) /opt/.lxc-attach-script, (2) the archived… |
CVE-2016-8628 | High | 7.6 | — | 2018-07-31 | Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. |
CVE-2020-1737 | High | 7.5 | — | 2020-03-09 | A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. |
CVE-2020-1734 | High | 7.4 | — | 2020-03-03 | A flaw was found in the pipe lookup plugin of ansible. |
CVE-2019-14905 | High | 7.3 | — | 2020-03-31 | A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. |
CVE-2019-14858 | High | 7.3 | — | 2019-10-14 | A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. |