A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

The remote SUSE Linux SLES15 / openSUSE 15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2024:1509-1 advisory.

  - A flaw was found in Ansible before version 2.2.0. The apt_key module does not properly verify key     fingerprints, allowing remote adversary to create an OpenPGP key which matches the short key ID and inject     this key instead of the correct key. (CVE-2016-8614)

  - Ansible before version 2.2.0 fails to properly sanitize fact variables sent from the Ansible controller.
    An attacker with the ability to create special variables on the controller could execute arbitrary     commands on Ansible clients as the user Ansible runs as. (CVE-2016-8628)

  - An input validation vulnerability was found in Ansible's mysql_user module before 2.2.1.0, which may fail     to correctly change a password in certain circumstances. Thus the previous password would still be active     when it should have been changed. (CVE-2016-8647)

  - Ansible before versions 2.1.4, 2.2.1 is vulnerable to an improper input validation in Ansible's handling     of data sent from client systems. An attacker with control over a client system being managed by Ansible     and the ability to send facts back to the Ansible server could use this flaw to execute arbitrary code on     the Ansible server using the Ansible server privileges. (CVE-2016-9587)

  - A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters     to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a     remote host's logs. This flaw was fixed by not allowing passwords to be specified in the params     argument, and noting this in the module documentation. (CVE-2017-7550)

  - In ansible it was found that inventory variables are loaded from current working directory when running     ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result.
    (CVE-2018-10874)

  - An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory     when running become_user from become directive. The provided fix is insufficient to prevent the race     condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as     previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are     affected. (CVE-2020-10744)

  - An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where     sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or     outputs of performed tasks to read keys used in playbooks from other users within the uri module. The     highest threat from this vulnerability is to data confidentiality. (CVE-2020-14330)

  - A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-     mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized     users to read this data. The highest threat from this vulnerability is to confidentiality.
    (CVE-2020-14332)

  - A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x     before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during     installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads     to malicious packages being installed on the system and arbitrary code executed via package installation     scripts. The highest threat from this vulnerability is to integrity and system availability.
    (CVE-2020-14365)

  - A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x     versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the     k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line,     not using an environment variable or an input configuration file. This will disclose passwords and tokens     from process list and no_log directive from debug module would not have any effect making these secrets     being disclosed on stdout and log files. (CVE-2020-1753)

  - A template injection flaw was found in Ansible where a user's controller internal templating operations     may remove the unsafe designation from template data. This issue could allow an attacker to use a     specially crafted file to introduce templating injection when supplying templating data. (CVE-2023-5764)

  - A user changing their email after signing up and verifying it can change it without verification in     profile settings. The configuration option verify_email_enabled will only validate email only on sign     up. (CVE-2023-6152)

  - An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG     configuration in some scenarios. Information is still included in the output in certain tasks, such as     loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret     values. (CVE-2024-0690)

  - It is possible for a user in a different organization from the owner of a snapshot to bypass authorization     and delete a snapshot by issuing a DELETE request to /api/snapshots/<key> using its view key. This     functionality is intended to only be available to individuals with the permission to write/edit to the     snapshot in question, but due to a bug in the authorization logic, deletion requests issued by an     unprivileged user in a different organization than the snapshot owner are treated as authorized. Grafana     Labs would like to thank Ravid Mazon and Jay Chen of Palo Alto Research for discovering and disclosing     this vulnerability. This issue affects Grafana: from 9.5.0 before 9.5.18, from 10.0.0 before 10.0.13, from     10.1.0 before 10.1.9, from 10.2.0 before 10.2.6, from 10.3.0 before 10.3.5. (CVE-2024-1313)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of ansible installed on the remote host is prior to 2.9.9-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2ANSIBLE2-2023-008 advisory.

  - A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6     respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is     enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by     altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into     privilege escalation or code injection. (CVE-2020-10684)

  - A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before     2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and     3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3     or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating     Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot     and the decryp emains when the host is switched off. The system will be vulnerable when the system is not     running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted     ble. (CVE-2020-10685)

  - An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running     ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created     without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
    (CVE-2020-10691)

  - A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when     running a playbook with an unprivileged become user. When Ansible needs to run a module with become user,     the temporary directory is created in /var/tmp. This directory is created with umask 77 && mkdir -p     <dir>; this operation does not fail if the directory already exists and is owned by another user. An     attacker could take advantage to gain control of the become user as the target directory can be retrieved     by iterating '/proc/<pid>/cmdline'. (CVE-2020-1733)

  - A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the     module, inject a new path, and then choose a new destination path on the controller node. All versions in     2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. (CVE-2020-1735)

  - A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user     executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is     created in a temporary file with mkstemp and the returned file descriptor is closed and the method     write_data is called to write the existing secret in the file. This method will delete the file before     recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
    (CVE-2020-1740)

  - A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x     before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and     3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP     bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters     field. The highest threat from this vulnerability is data confidentiality. (CVE-2020-1746)

  - A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x     versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the     k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line,     not using an environment variable or an input configuration file. This will disclose passwords and tokens     from process list and no_log directive from debug module would not have any effect making these secrets     being disclosed on stdout and log files. (CVE-2020-1753)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2022:0081-1 advisory.

  - A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered     to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker     to execute arbitrary code. (CVE-2018-10875)

  - Ansible User module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in     undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen     executable. Showing those credentials in clear text form for every user which have access just to the     process list. (CVE-2018-16837)

  - A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and     2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By     taking advantage of unintended variable substitution the content of any variable may be disclosed.
    (CVE-2019-10156)

  - In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine     2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a     library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those     are executed in a separate process. (CVE-2019-14846)

  - A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for     the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command     on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and     executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as     previous versions are affected. (CVE-2019-14904)

  - A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before     2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or     bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command     injections. This could result in a loss of confidentiality of the system among other issues.
    (CVE-2019-14905)

  - A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6     respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is     enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by     altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into     privilege escalation or code injection. (CVE-2020-10684)

  - A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before     2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and     3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3     or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating     Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot     and the decryp emains when the host is switched off. The system will be vulnerable when the system is not     running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted     ble. (CVE-2020-10685)

  - An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running     ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created     without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.
    (CVE-2020-10691)

  - A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the     same length generate the equal value as the template caching action for the same file since no re-     evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at     once for the file. This flaw affects Ansible Engine versions before 2.9.6. (CVE-2020-10729)

  - An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where     sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or     outputs of performed tasks to read keys used in playbooks from other users within the uri module. The     highest threat from this vulnerability is to data confidentiality. (CVE-2020-14330)

  - A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-     mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized     users to read this data. The highest threat from this vulnerability is to confidentiality.
    (CVE-2020-14332)

  - A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when     running a playbook with an unprivileged become user. When Ansible needs to run a module with become user,     the temporary directory is created in /var/tmp. This directory is created with umask 77 && mkdir -p     <dir>; this operation does not fail if the directory already exists and is owned by another user. An     attacker could take advantage to gain control of the become user as the target directory can be retrieved     by iterating '/proc/<pid>/cmdline'. (CVE-2020-1733)

  - A flaw was found in the pipe lookup plugin of ansible. Arbitrary commands can be run, when the pipe lookup     plugin uses subprocess.Popen() with shell=True, by overwriting ansible facts and the variable is not     escaped by quote plugin. An attacker could take advantage and run arbitrary commands by overwriting the     ansible facts. (CVE-2020-1734)

  - A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the     module, inject a new path, and then choose a new destination path on the controller node. All versions in     2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. (CVE-2020-1735)

  - A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode     cannot be specified. This sets the destination files world-readable if the destination file does not exist     and if the file exists, the file could be changed to have less restrictive permissions before the move.
    This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are     believed to be vulnerable. (CVE-2020-1736)

  - A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-     Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the     destination folder. An attacker could take advantage of this flaw by crafting an archive anywhere in the     file system, using a path traversal. This issue is fixed in 2.10. (CVE-2020-1737)

  - A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is     not specified. If a previous task is executed with a malicious user, the module sent can be selected by     the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to     be vulnerable. (CVE-2020-1738)

  - A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set     with the argument password of svn module, it is used on svn command line, disclosing to other users     within the same node. An attacker could take advantage by reading the cmdline file from that particular     PID on the procfs. (CVE-2020-1739)

  - A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user     executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is     created in a temporary file with mkstemp and the returned file descriptor is closed and the method     write_data is called to write the existing secret in the file. This method will delete the file before     recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
    (CVE-2020-1740)

  - A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x     before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and     3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP     bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters     field. The highest threat from this vulnerability is data confidentiality. (CVE-2020-1746)

  - A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x     versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the     k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line,     not using an environment variable or an input configuration file. This will disclose passwords and tokens     from process list and no_log directive from debug module would not have any effect making these secrets     being disclosed on stdout and log files. (CVE-2020-1753)

  - A flaw was found in ansible module where credentials are disclosed in the console log by default and not     protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an     attacker to steal bitbucket_pipeline credentials. The highest threat from this vulnerability is to     confidentiality. (CVE-2021-20178, CVE-2021-20180)

  - A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default     and not protected by no_log feature when using those modules. An attacker can take advantage of this     information to steal those credentials. The highest threat from this vulnerability is to data     confidentiality. Versions before ansible 2.9.18 are affected. (CVE-2021-20191)

  - A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not     protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows     an attacker to obtain sensitive information. The highest threat from this vulnerability is to     confidentiality. (CVE-2021-20228)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4950 advisory.

  - A flaw was discovered in the way Ansible templating was implemented in versions before 2.6.18, 2.7.12 and     2.8.2, causing the possibility of information disclosure through unexpected variable substitution. By     taking advantage of unintended variable substitution the content of any variable may be disclosed.
    (CVE-2019-10156)

  - ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and     all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special     characters. Passwords should be wrapped to prevent templates trigger and exposing them. (CVE-2019-10206)

  - In Ansible, all Ansible Engine versions up to ansible-engine 2.8.5, ansible-engine 2.7.13, ansible-engine     2.6.19, were logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a     library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those     are executed in a separate process. (CVE-2019-14846)

  - Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not     respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks     results events to collectors. This would discloses and collects any sensitive data. (CVE-2019-14864)

  - A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for     the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' bare command     on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and     executing arbitrary commands in the remote host. Ansible Engine 2.7.15, 2.8.7, and 2.9.2 as well as     previous versions are affected. (CVE-2019-14904)

  - A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6     respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is     enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by     altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into     privilege escalation or code injection. (CVE-2020-10684)

  - A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before     2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and     3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3     or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating     Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot     and the decryp emains when the host is switched off. The system will be vulnerable when the system is not     running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted     ble. (CVE-2020-10685)

  - A flaw was found in the use of insufficiently random values in Ansible. Two random password lookups of the     same length generate the equal value as the template caching action for the same file since no re-     evaluation happens. The highest threat from this vulnerability would be that all passwords are exposed at     once for the file. This flaw affects Ansible Engine versions before 2.9.6. (CVE-2020-10729)

  - An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where     sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or     outputs of performed tasks to read keys used in playbooks from other users within the uri module. The     highest threat from this vulnerability is to data confidentiality. (CVE-2020-14330)

  - A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-     mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized     users to read this data. The highest threat from this vulnerability is to confidentiality.
    (CVE-2020-14332)

  - A flaw was found in the Ansible Engine, in ansible-engine 2.8.x before 2.8.15 and ansible-engine 2.9.x     before 2.9.13, when installing packages using the dnf module. GPG signatures are ignored during     installation even when disable_gpg_check is set to False, which is the default behavior. This flaw leads     to malicious packages being installed on the system and arbitrary code executed via package installation     scripts. The highest threat from this vulnerability is to integrity and system availability.
    (CVE-2020-14365)

  - A race condition flaw was found in Ansible Engine 2.7.17 and prior, 2.8.9 and prior, 2.9.6 and prior when     running a playbook with an unprivileged become user. When Ansible needs to run a module with become user,     the temporary directory is created in /var/tmp. This directory is created with umask 77 && mkdir -p     ; this operation does not fail if the directory already exists and is owned by another user. An     attacker could take advantage to gain control of the become user as the target directory can be retrieved     by iterating '/proc//cmdline'. (CVE-2020-1733)

  - A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the     module, inject a new path, and then choose a new destination path on the controller node. All versions in     2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable. (CVE-2020-1735)

  - A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set     with the argument password of svn module, it is used on svn command line, disclosing to other users     within the same node. An attacker could take advantage by reading the cmdline file from that particular     PID on the procfs. (CVE-2020-1739)

  - A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user     executes ansible-vault edit, another user on the same computer can read the old and new secret, as it is     created in a temporary file with mkstemp and the returned file descriptor is closed and the method     write_data is called to write the existing secret in the file. This method will delete the file before     recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
    (CVE-2020-1740)

  - A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x     before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and     3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP     bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters     field. The highest threat from this vulnerability is data confidentiality. (CVE-2020-1746)

  - A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x     versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the     k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line,     not using an environment variable or an input configuration file. This will disclose passwords and tokens     from process list and no_log directive from debug module would not have any effect making these secrets     being disclosed on stdout and log files. (CVE-2020-1753)

  - A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not     protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows     an attacker to obtain sensitive information. The highest threat from this vulnerability is to     confidentiality. (CVE-2021-20228)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202006-11 (Ansible: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Ansible. Please review       the CVE identifiers referenced below for details.
  Impact :

    Please review the referenced CVE identifiers for details.
  Workaround :

    There is no known workaround at this time.

The version of Ansible Tower running on the remote web server is 3.4.x equal or prior to 3.4.5, or 3.5.x equal or prior to 3.5.5, or 3.6.x equal or prior to 3.6.3. It is, therefore, affected by an information disclosure vulnerability when managing kubernetes using the k8s module.

The remote Redhat Enterprise Linux 7 host has a package installed that is affected by a vulnerability as referenced in the RHSA-2020:2142 advisory.

  - Ansible: kubectl connection plugin leaks sensitive information (CVE-2020-1753)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Update to upstream bugfix and security update 2.9.7. See https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELO G-v2.9.rst for a detailed list of changes.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1542 advisory.

  - Ansible: code injection when using ansible_facts as a subkey (CVE-2020-10684)

  - Ansible: modules which use files encrypted with vault are not properly cleaned up (CVE-2020-10685)

  - Ansible: archive traversal vulnerability in ansible-galaxy collection install (CVE-2020-10691)

  - ansible: insecure temporary directory when running become_user from become directive (CVE-2020-1733)

  - ansible: path injection on dest parameter in fetch module (CVE-2020-1735)

  - ansible: Extract-Zip function in win_unzip module does not check extracted path (CVE-2020-1737)

  - ansible: svn module leaks password when specified as a parameter (CVE-2020-1739)

  - ansible: secrets readable after ansible-vault edit (CVE-2020-1740)

  - ansible: Information disclosure issue in ldap_attr and ldap_entry modules (CVE-2020-1746)

  - Ansible: kubectl connection plugin leaks sensitive information (CVE-2020-1753)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2020:1541 advisory.

  - Ansible: code injection when using ansible_facts as a subkey (CVE-2020-10684)

  - Ansible: modules which use files encrypted with vault are not properly cleaned up (CVE-2020-10685)

  - Ansible: archive traversal vulnerability in ansible-galaxy collection install (CVE-2020-10691)

  - ansible: insecure temporary directory when running become_user from become directive (CVE-2020-1733)

  - ansible: path injection on dest parameter in fetch module (CVE-2020-1735)

  - ansible: Extract-Zip function in win_unzip module does not check extracted path (CVE-2020-1737)

  - ansible: svn module leaks password when specified as a parameter (CVE-2020-1739)

  - ansible: secrets readable after ansible-vault edit (CVE-2020-1740)

  - ansible: Information disclosure issue in ldap_attr and ldap_entry modules (CVE-2020-1746)

  - Ansible: kubectl connection plugin leaks sensitive information (CVE-2020-1753)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
195097	SUSE SLES15 / openSUSE 15 Security Update : SUSE Manager Client Tools (SUSE-SU-2024:1509-1)	Nessus	SuSE Local Security Checks	critical
181996	Amazon Linux 2 : ansible (ALASANSIBLE2-2023-008)	Nessus	Amazon Linux Local Security Checks	high
159049	openSUSE 15 Security Update : ansible (openSUSE-SU-2022:0081-1)	Nessus	SuSE Local Security Checks	high
152270	Debian DSA-4950-1 : ansible - security update	Nessus	Debian Local Security Checks	high
137448	GLSA-202006-11 : Ansible: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
136716	Ansible Tower 3.4.x =< 3.4.5 / 3.5.x =< 3.5.5 / 3.6.x =< 3.6.3 'k8s module' Information Disclosure Vulnerability	Nessus	CGI abuses	medium
136582	RHEL 7 : Ansible security update (2.7.18) (Moderate) (RHSA-2020:2142)	Nessus	Red Hat Local Security Checks	medium
136002	Fedora 31 : ansible (2020-f80154b5b4)	Nessus	Fedora Local Security Checks	high
135987	Fedora 30 : ansible (2020-1b6ce91e37)	Nessus	Fedora Local Security Checks	high
135914	RHEL 7 / 8 : Ansible security and bug fix update (2.9.7) (Important) (RHSA-2020:1542)	Nessus	Red Hat Local Security Checks	high
135911	RHEL 7 / 8 : Ansible security and bug fix update (2.9.7) (Important) (RHSA-2020:1541)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2020-1753

medium

Tenable Plugins

critical

high

high

high

high

medium

medium

high

high

high

high