VulnerableCode Package Details - pkg:deb/ubuntu/ansible@2.9.2%2Bdfsg-1

Search for packages

Vulnerability	Summary	Fixed by
VCID-1puc-u4y9-aaap Aliases: CVE-2019-14904 GHSA-gwr8-5j83-483c PYSEC-2020-161 PYSEC-2020-180	A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.	2.9.4+dfsg-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-wkkk-5njy-aaaa Aliases: CVE-2019-14905 GHSA-frxj-5j27-f8rf PYSEC-2020-206	A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.	2.9.4+dfsg-1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}
VCID-yxbw-377b-aaan Aliases: CVE-2020-10729 GHSA-r6h7-5pq2-j77h PYSEC-2021-105	A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.	2.9.6+dfsg-1 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-1puc-u4y9-aaap
Aliases:
CVE-2019-14904
GHSA-gwr8-5j83-483c
PYSEC-2020-161
PYSEC-2020-180

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as previous versions are affected.

2.9.4+dfsg-1
Affected by 1 other vulnerability.

VCID-wkkk-5njy-aaaa
Aliases:
CVE-2019-14905
GHSA-frxj-5j27-f8rf
PYSEC-2020-206

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.

2.9.4+dfsg-1
Affected by 1 other vulnerability.

VCID-yxbw-377b-aaan
Aliases:
CVE-2020-10729
GHSA-r6h7-5pq2-j77h
PYSEC-2021-105

A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the same length generate the equal value as the template caching action for the same file since no re-evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at once for the file. This flaw affects Ansible Engine versions before 2.9.6.

2.9.6+dfsg-1
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-m1j9-6xnm-aaac	Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.	CVE-2019-14864 GHSA-3m93-m4q6-mc6v PYSEC-2020-160 PYSEC-2020-179

Vulnerability

Summary

Aliases

VCID-m1j9-6xnm-aaac

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

CVE-2019-14864
GHSA-3m93-m4q6-mc6v
PYSEC-2020-160
PYSEC-2020-179

Next non-vulnerable version	2.9.6+dfsg-1
Latest non-vulnerable version	2.9.6+dfsg-1
Risk	4.0