CVE-2021-4112

all versions

A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attack

8.8HIGH

CVE-2021-3583

< 3.7.0

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts use

7.1HIGH

CVE-2020-14329

< 3.7.2

A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/lab

3.3LOW

CVE-2020-14328

< 3.7.2

A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL wh

3.3LOW

CVE-2020-14327

< 3.6.5

A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on t

5.5MEDIUM

CVE-2020-10709

< 3.5.6

A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the toke

7.1HIGH

CVE-2020-10698

< 3.4.6

A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which

3.3LOW

CVE-2020-10697

< 3.4.6

A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take

4.4MEDIUM

CVE-2021-20191

all versions

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_l

5.5MEDIUM

CVE-2021-20178

all versions

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security

5.5MEDIUM

CVE-2021-20228

all versions

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log fe

7.5HIGH

CVE-2021-3447

< 3.8.2

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-

5.5MEDIUM

CVE-2021-20253

< 3.6.7

A flaw was found in ansible-tower. The default installation is vulnerable to Job Isolation escape allowing an attacker to elevate

6.7MEDIUM

CVE-2020-14365

>= 3.6.0 and <= 3.6.5

A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x before 2.9.13, when install

7.1HIGH

CVE-2020-14337

all versions

A data exposure flaw was found in Tower, where sensitive data was revealed from the HTTP return error codes. This flaw allows an u

5.8MEDIUM

CVE-2020-10782

all versions

An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets

6.5MEDIUM

CVE-2020-10744

>= 3.4.0 and <= 3.4.5

An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user f

5.0MEDIUM

CVE-2020-1746

>= 3.4.0 and <= 3.4.5

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x bef

5.0MEDIUM

CVE-2020-10685

<= 3.4.5

A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before

5.0MEDIUM

CVE-2020-10691

all versions

An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection in

5.2MEDIUM

CVE-2019-14905

all versions

A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, wher

5.6MEDIUM

CVE-2020-10684

<= 3.3.5

A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using

7.9HIGH

CVE-2020-1740

<= 3.3.4

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit"

3.9LOW

CVE-2020-1738

<= 3.3.4

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previ

3.9LOW

CVE-2020-1736

<= 3.3.4

A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This set

2.2LOW

CVE-2020-1735

<= 3.3.4

A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, a

4.2MEDIUM

CVE-2020-1753

<= 3.3.4

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.1

5.0MEDIUM

CVE-2020-1739

<= 3.3.4

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "passw

3.9LOW

CVE-2020-1733

<= 3.3.4

A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when running a playbook with

5.0MEDIUM

CVE-2020-1737

<= 3.3.4

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the wi

7.5HIGH

CVE-2020-1734

<= 3.3.4

A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup plugin uses subprocess.

7.4HIGH

CVE-2019-14864

all versions

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_l

6.5MEDIUM

CVE-2019-19342

>= 3.5.0 and < 3.5.4

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.4, when /websocket is requested and the passwo

5.3MEDIUM

CVE-2019-19341

>= 3.6.0 and < 3.6.2

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2, where files in '/var/backup/tower' are left world-readable. These

5.5MEDIUM

CVE-2019-19340

>= 3.5.0 and < 3.5.3

A flaw was found in Ansible Tower, versions 3.6.x before 3.6.2 and 3.5.x before 3.5.3, where enabling RabbitMQ manager by setting

8.2HIGH

CVE-2019-14890

all versions

A vulnerability was found in Ansible Tower before 3.6.1 where an attacker with low privilege could retrieve usernames and password

8.4HIGH

CVE-2019-14858

>= 3.0 and <= 3.5.0

A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with

5.5MEDIUM

CVE-2019-10312

<= 0.9.1

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#

4.3MEDIUM

CVE-2019-10311

<= 0.9.1

A missing permission check in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstallationDescriptor#

8.8HIGH

CVE-2019-10310

<= 0.9.1

A cross-site request forgery vulnerability in Jenkins Ansible Tower Plugin 0.9.1 and earlier in the TowerInstallation.TowerInstall

8.8HIGH

CVE-2019-3869

< 3.3.5

When running Tower before 3.4.3 on OpenShift or Kubernetes, application credentials are exposed to playbook job runs via environme

7.2HIGH

CVE-2019-3838

all versions

It was found that the forceput operator could be extracted from the DefineResource method in ghostscript before 9.27. A specially

5.5MEDIUM

CVE-2019-3835

all versions

It was found that the superexec operator was available in the internal dictionary in ghostscript before 9.27. A specially crafted

5.5MEDIUM

CVE-2018-16879

< 3.3.3

Ansible Tower before version 3.3.3 does not set a secure channel as it is using the default insecure configuration channel setting

9.8CRITICAL

CVE-2018-16837

all versions

Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations su

7.8HIGH

CVE-2018-1000805

all versions

Paramiko version 2.4.1, 2.3.2, 2.2.3, 2.1.5, 2.0.8, 1.18.5, 1.17.6 contains a Incorrect Access Control vulnerability in SSH server

8.8HIGH

CVE-2018-17456

all versions

Git before 2.14.5, 2.15.x before 2.15.3, 2.16.x before 2.16.5, 2.17.x before 2.17.2, 2.18.x before 2.18.1, and 2.19.x before 2.19.

9.8CRITICAL

CVE-2016-7070

< 3.0.3

A privilege escalation flaw was found in the Ansible Tower. When Tower before 3.0.3 deploys a PostgreSQL database, it incorrectly

8.0HIGH

CVE-2017-7528

all versions

Ansible Tower as shipped with Red Hat CloudForms Management Engine 5 is vulnerable to CRLF Injection. It was found that X-Forwarde

5.2MEDIUM

CVE-2018-10884

>= 3.1.0 and <= 3.1.8

Ansible Tower before versions 3.1.8 and 3.2.6 is vulnerable to cross-site request forgery (CSRF) in awx/api/authentication.py. An

8.8HIGH

CVE-2015-9262

all versions

_XcursorThemeInherits in library.c in libXcursor before 1.1.15 allows remote attackers to cause denial of service or potentially c

9.8CRITICAL

CVE-2018-14682

all versions

An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the TOLOWER() macro for CHM

8.8HIGH

CVE-2018-14681

all versions

An issue was discovered in kwajd_read_headers in mspack/kwajd.c in libmspack before 0.7alpha. Bad KWAJ file header extensions coul

8.8HIGH

CVE-2018-14680

all versions

An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. It does not reject blank CHM filenames.

6.5MEDIUM

CVE-2018-14679

all versions

An issue was discovered in mspack/chmd.c in libmspack before 0.7alpha. There is an off-by-one error in the CHM PMGI/PMGL chunk num

6.5MEDIUM

CVE-2017-12148

< 3.1.5

A flaw was found in Ansible Tower's interface before 3.1.5 and 3.2.0 with SCM repositories. If a Tower project (SCM repository) de

8.4HIGH

CVE-2018-13988

all versions

Poppler through 0.62 contains an out of bounds read vulnerability due to an incorrect memory access that is not mapped in its memo

6.5MEDIUM

CVE-2018-12910

all versions

The get_cookies function in soup-cookie-jar.c in libsoup 2.63.2 allows attackers to have unspecified impact via an empty hostname.

9.8CRITICAL

CVE-2018-1061

all versions

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in the difflib.IS_LI

6.5MEDIUM

CVE-2018-1060

all versions

python before versions 2.7.15, 3.4.9, 3.5.6rc1, 3.6.5rc1 and 3.7.0 is vulnerable to catastrophic backtracking in pop3lib's apop()

7.5HIGH

CVE-2018-0495

all versions

Libgcrypt before 1.7.10 and 1.8.x before 1.8.3 allows a memory-cache side-channel attack on ECDSA signatures that can be mitigated

4.7MEDIUM

CVE-2017-18267

all versions

The FoFiType1C::cvtGlyph function in fofi/FoFiType1C.cc in Poppler through 0.64.0 allows remote attackers to cause a denial of ser

5.5MEDIUM

CVE-2018-10768

all versions

There is a NULL pointer dereference in the AnnotPath::getCoordsLength function in Annot.h in an Ubuntu package for Poppler 0.24.5.

6.5MEDIUM

CVE-2018-10767

all versions

There is a stack-based buffer over-read in calling GLib in the function gxps_images_guess_content_type of gxps-images.c in libgxps

6.5MEDIUM

CVE-2018-10733

all versions

There is a heap-based buffer over-read in the function ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted input

6.5MEDIUM

CVE-2018-1104

<= 3.2.3

Ansible Tower through version 3.2.3 has a vulnerability that allows users only with access to define variables for a job template

8.8HIGH

CVE-2018-1101

< 3.2.4

Ansible Tower before version 3.2.4 has a flaw in the management of system and organization administrators that allows for privileg

7.2HIGH

CVE-2015-1482

<= 2.0.4

Ansible Tower (aka Ansible UI) before 2.0.5 allows remote attackers to bypass authentication and obtain sensitive information via

CVE-2015-1481

<= 2.0.4

Ansible Tower (aka Ansible UI) before 2.0.5 allows remote organization administrators to gain privileges by creating a superuser a

CVE-2015-1368

<= 2.0.2

Multiple cross-site scripting (XSS) vulnerabilities in Ansible Tower (aka Ansible UI) before 2.0.5 allow remote attackers to injec