Every CVE whose affected-product data names Redhat Ansible, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (45)
CVE-2014-4678 — CVSS 9.8 (critical): The safe_eval function in Ansible before 1.6.4 does not properly restrict the code subset, which allows remote attackers to execute…
CVE-2017-7550 — CVSS 9.8 (critical): A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module…
CVE-2014-4967 — CVSS 9.8 (critical): Multiple argument injection vulnerabilities in Ansible before 1.6.7 allow remote attackers to execute arbitrary code by leveraging access…
CVE-2014-4966 — CVSS 9.8 (critical): Ansible before 1.6.7 does not prevent inventory data with "{{" and "lookup" substrings, and does not prevent remote data with "{{"…
CVE-2014-4657 — CVSS 9.8 (critical): The safe_eval function in Ansible before 1.5.4 does not properly restrict the code subset, which allows remote attackers to execute…
CVE-2014-3498 — CVSS 8.8 (high): The user module in ansible before 1.6.6 allows remote authenticated users to execute arbitrary commands.
CVE-2016-9587 — CVSS 8.1 (high): Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling of data sent from client systems…
CVE-2017-7466 — CVSS 8.0 (high): Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control…
CVE-2020-10684 — CVSS 7.9 (high): A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using…
CVE-2015-6240 — CVSS 7.8 (high): The chroot, jail, and zone connection plugins in ansible before 1.9.2 allow local users to escape a restricted environment via a symlink…
CVE-2016-3096 — CVSS 7.8 (high): The create_script function in the lxc_container module in Ansible before 1.9.6-1 and 2.x before 2.0.2.0 allows local users to write to…
CVE-2016-8628 — CVSS 7.6 (high): Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller. An attacker with the ability to…
CVE-2022-3697 — CVSS 7.5 (high): A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module…
CVE-2013-2233 — CVSS 7.4 (high): Ansible before 1.2.1 makes it easier for remote attackers to conduct man-in-the-middle attacks by leveraging failure to cache SSH host keys.
CVE-2019-14904 — CVSS 7.3 (high): A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the…
CVE-2023-5764 — CVSS 7.1 (high): A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation…
CVE-2020-25636 — CVSS 6.6 (medium): A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are…
CVE-2019-10206 — CVSS 6.5 (medium): ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt…
CVE-2019-10217 — CVSS 6.5 (medium): A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these…
CVE-2019-14864 — CVSS 6.5 (medium): Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it…
CVE-2016-8614 — CVSS 6.3 (medium): A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key fingerprints, allowing remote adversary…
CVE-2021-20180 — CVSS 5.5 (medium): A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature…
CVE-2021-20178 — CVSS 5.5 (medium): A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature…
CVE-2014-4658 — CVSS 5.5 (medium): The vault subsystem in Ansible before 1.5.5 does not set the umask before creation or modification of a vault file, which allows local…
CVE-2014-4660 — CVSS 5.5 (medium): Ansible before 1.5.5 constructs filenames containing user and password fields on the basis of deb lines in sources.list, which might allow…
CVE-2014-4659 — CVSS 5.5 (medium): Ansible before 1.5.5 sets 0644 permissions for sources.list, which might allow local users to obtain sensitive credential information in…
CVE-2021-3447 — CVSS 5.5 (medium): A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on…
CVE-2021-20191 — CVSS 5.5 (medium): A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log…
CVE-2019-10156 — CVSS 5.4 (medium): A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and 2.8.2, causing the possibility of…
CVE-2018-16876 — CVSS 5.3 (medium): ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to…
CVE-2020-10744 — CVSS 5.0 (medium): An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from…
CVE-2024-0690 — CVSS 5.0 (medium): An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios…
CVE-2020-25635 — CVSS 5.0 (medium): A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is…
CVE-2020-1733 — CVSS 5.0 (medium): A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with an…
CVE-2015-3908 — CVSS 4.3 (medium): Ansible before 1.9.2 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName…
CVE-2019-3828 — CVSS 4.2 (medium): Ansible fetch module before versions 2.5.15, 2.6.14, 2.7.8 has a path traversal vulnerability which allows copying and overwriting files…
CVE-2020-1735 — CVSS 4.2 (medium): A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then…
CVE-2020-1738 — CVSS 3.9 (low): A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task…
CVE-2020-1740 — CVSS 3.9 (low): A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another…
CVE-2020-1739 — CVSS 3.9 (low): A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of…
CVE-2013-4260 — CVSS 3.3 (low): lib/ansible/playbook/__init__.py in Ansible 1.2.x before 1.2.3, when playbook does not run due to an error, allows local users to overwrite…
CVE-2020-1736 — CVSS 2.2 (low): A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the…
CVE-2013-4259 — CVSS 1.9 (low): runner/connection_plugins/ssh.py in Ansible before 1.2.3, when using ControlPersist, allows local users to redirect a ssh session via a…