Vulnerabilities > Redhat > Ansible Tower

DATE CVE VULNERABILITY TITLE RISK
2020-03-31 CVE-2019-14905 Exposure of Resource to Wrong Sphere vulnerability in multiple products
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices.
local
low complexity
redhat fedoraproject opensuse CWE-668
5.6
2020-03-24 CVE-2020-10684 Missing Authorization vulnerability in multiple products
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean.
local
low complexity
redhat debian fedoraproject CWE-862
7.1
2020-03-16 CVE-2020-1740 Insecure Temporary File vulnerability in multiple products
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files.
local
high complexity
redhat debian fedoraproject CWE-377
4.7
2020-03-16 CVE-2020-1738 Argument Injection or Modification vulnerability in Redhat products
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified.
local
high complexity
redhat CWE-88
3.9
2020-03-16 CVE-2020-1736 Incorrect Permission Assignment for Critical Resource vulnerability in multiple products
A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified.
local
low complexity
redhat fedoraproject CWE-732
3.3
2020-03-16 CVE-2020-1735 Path Traversal vulnerability in multiple products
A flaw was found in the Ansible Engine when the fetch module is used.
local
low complexity
redhat debian fedoraproject CWE-22
4.6
2020-03-16 CVE-2020-1753 Information Exposure Through Process Environment vulnerability in multiple products
A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module.
local
low complexity
redhat debian fedoraproject CWE-214
5.5
2020-03-12 CVE-2020-1739 Information Exposure vulnerability in multiple products
A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node.
local
low complexity
redhat fedoraproject debian CWE-200
3.9
2020-03-11 CVE-2020-1733 Race Condition vulnerability in multiple products
A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an unprivileged become user.
local
high complexity
redhat fedoraproject debian CWE-362
5.0
2020-03-09 CVE-2020-1737 Path Traversal vulnerability in Redhat Ansible Tower
A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder.
local
low complexity
redhat CWE-22
7.8