ansible security vulnerabilities

Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. An exploitable vulnerability exists in the yaml loading functionality of ansible-vault before 1.0.5. A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. (e.g. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). This flaw allows a malicious Satellite user to scan through the Job Invocation, with the ability to search for passwords and other sensitive data. Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. SUSE OpenStack Cloud 9 ardana-ansible versions prior to 9.0+git.1581611758.f694f7d-3.16.1, ardana-. A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. This flaw leads to malicious packages being installed on the system and arbitrary code executed via package installation scripts. Note: this vulnerability was fixed on 2015-03-06, but the version number was not changed. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is. A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. service_account_contents() which is common class for all gcp modules is not setting no_log to True. By taking advantage of unintended variable substitution the content of any variable may be disclosed. Missing permission checks in Jenkins Ansible Plugin 1.0 and earlier allow attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate the privilege from a low privileged user to the awx user from outside the isolated environment. An attacker could take advantage to overwrite any file within the system. A flaw was found in the solaris_zone module from the Ansible Community modules. This release fixes a Cross Site Request Forgery vulnerability was found in Red Hat CloudForms which forces end users to execute unwanted actions on a web application in which the user is currently authenticated. Known limitations & technical details, User agreement, disclaimer and privacy statement. Any user with access to the Tower server, and knowledge of when a backup is run, could retrieve every credential stored in Tower. Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal services or exposing additional internal services and more particularly retrieving full details in case of error. Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via a websocket connection to socket.io/1/. An attacker with access to the container could use this flaw to modify /etc/passwd and escalate their privileges. openssl_privatekey_info exposes private key in logs. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. Versions before ceph-ansible 6.0.0alpha1 are affected. One should also make sure that the TURN server is set up with firewall rules so that it cannot relay to other addresses that you don't want the TURN server to relay to. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. In the configuration that we ship (https://github.com/wireapp/ansible-restund/blob/master/templates/restund.conf.j2#L40-L43) the `status` interface of restund is enabled and is listening on `127.0.0.1`.The `status` interface allows users to issue administrative commands to `restund` like listing open relays or draining connections. Once published, anyone who downloads or installs the collection can view the secrets. In convert2rhel, there's an ansible playbook named ansible/run-convert2rhel.yml which passes the Red Hat Subscription Manager user password via the CLI to convert2rhel. The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local users to obtain sensitive key information by reading a file. This issue affects mainly the service availability. For example other services in the same VPC where the TURN server is running. This issue affects: SUSE OpenStack Cloud 7 crowbar-core versions prior to 4.0+git.1578392992.fabfd186c-9.63.1, crowbar-. Thus the previous password would still be active when it should have been changed. This flaw allows an attacker to obtain a refresh token that does not expire. This flaw allows attackers to perform command injection, which discloses sensitive information. Quotations around the values of ETCD_CLIENT_CERT_AUTH and ETCD_PEER_CLIENT_CERT_AUTH in etcd.conf result in etcd being configured to allow remote users to connect without any authentication if they can access the etcd server bound to the network on the master nodes. Users who do not update to 2.8.0 can edit the hostPID line in their existing DaemonSet manifest to say false instead of true, arrange some other way to install CNI plugins (e.g. Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel settings for messaging celery workers from RabbitMQ. ** DISPUTED ** core.py in Mitogen before 0.2.8 has a typo that drops the unidirectional-routing protection mechanism in the case of a child that is initiated by another child. An attacker with the ability to create special variables on the controller could execute arbitrary commands on Ansible clients as the user Ansible runs as. Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. A flaw was found in the pipe lookup plugin of ansible. This flaw allows an attacker to obtain sensitive information. A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys. OpenShift Container Platform (OCP) 3.11 is too permissive in the way it specified CORS allowed origins during installation. An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. Showing those credentials in clear text form for every user which have access just to the process list. A flaw was found in Ansible Tower when running Openshift. A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. This site will NOT BE LIABLE FOR ANY DIRECT, This flaw affects Ansible Tower 3.7 and Ansible Automation Platform 1.2. Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. The Ansible edxapp role in the Configuration Repo in edX allows remote websites to spoof edX accounts by leveraging use of the string literal "False" instead of a boolean False for the CORS_ORIGIN_ALLOW_ALL setting. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task. A man in the middle vulnerability exists in Jenkins Ansible Plugin 0.8 and older in AbstractAnsibleInvocation.java, AnsibleAdHocCommandBuilder.java, AnsibleAdHocCommandInvocationTest.java, AnsibleContext.java, AnsibleJobDslExtension.java, AnsiblePlaybookBuilder.java, AnsiblePlaybookStep.java that disables host key verification by default. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems. A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. Ansible Engine 2.8 and older are believed to be vulnerable. Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. Red Hat CloudForms 4.7 and 5 was vulnerable to Server-Side Request Forgery (SSRF) flaw. The highest threat from this vulnerability is to data confidentiality. A flaw was found in Ansible Tower in versions before 3.7.2. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. An attacker can take advantage of writing a playbook polluting this cache, causing a denial of service attack. : CVE-2009-1234 or 2010-1234 or 20101234), Take a third party risk management course for FREE, How does it work? This flaw affects Ansible Engine versions before 2.9.6. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in opportunistic circumstances by reading a file that uses the "deb http://user:pass@server:port/" format. An attacker, able to man-in-the-middle the connection between the user's browser and the openshift console, could use this flaw to perform a phishing attack. INDIRECT or any other kind of loss. Files would remain in the bucket exposing the data. An attacker can take advantage of this information to steal those credentials, provided when they have access to the log files containing them. This flaw allows unauthorized users to read this data. This flaw does not affect Ansible modules, as those are executed in a separate process. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. Any secret information in an async status file will be readable by a malicious user on that system. This directory is created with "umask 77 && mkdir -p