| Package | ansible |
|---|---|
| Version | 2.7.7+dfsg-1+deb10u3 (buster) |
| Related CVEs | CVE-2019-14858 CVE-2019-14905 CVE-2020-1737 CVE-2020-14330 CVE-2021-3583 CVE-2023-4237 CVE-2023-5115 CVE-2023-5764 CVE-2024-0690 CVE-2024-8775 CVE-2024-9902 CVE-2024-11079 |
Several flaws were found in ansible, a configuration management, deployment, and task execution system.
- CVE-2019-14858
-
When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
- CVE-2019-14905
-
A vulnerability was found in Ansible Engine, where in Ansible’s nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
- CVE-2020-1737
-
A flaw was found in Ansible when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the file system, using a path traversal.
- CVE-2020-14330 (regression in previous fix)
-
A regression was found that caused the obfuscation of sensitive data to also apply to dictionary keys. This could cause ansible playbook runs to break if a password happened to substring match any of the required dictionary keys that were returned by ansible tasks, e.g. “changed”. This is fixed with this release.
- CVE-2023-4237
-
When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system’s confidentiality, integrity, and availability.
- CVE-2023-5764
-
A template injection flaw was found in Ansible where a user’s controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.
- CVE-2024-0690
-
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
- CVE-2024-8775
-
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
- CVE-2024-9902
-
The ansible-core
usermodule can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes theusermodule against the unprivileged user’s home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. - CVE-2024-11079
-
This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
For Debian 10 buster, these problems have been fixed in version 2.7.7+dfsg-1+deb10u3.
We recommend that you upgrade your ansible packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.