CVE-2020-1737HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.6

vulnerable: 1.0 ... 2.9.5 (167 versions)

A flaw was found in Ansible 2.7.17 and prior, 2.8.9 and prior, and 2.9.6 and prior when using the Extract-Zip function from the win_unzip module as the extracted file(s) are not checked if they belong to the destination folder. An attacker…

CVE-2020-1738LOWCVSS 3.9EG 3.9✓ Fixed in 2.9.6

2020-03-16

vulnerable: 1.0 ... 2.9.5 (167 versions)

A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible…

CVE-2020-1739LOWCVSS 3.9EG 3.9✓ Fixed in 2.9.6

2020-03-12

vulnerable: 1.0 ... 2.9.5 (167 versions)

A flaw was found in Ansible 2.7.16 and prior, 2.8.8 and prior, and 2.9.5 and prior when a password is set with the argument "password" of svn module, it is used on svn command line, disclosing to other users within the same node. An attack…

CVE-2020-1740LOWCVSS 3.9EG 3.9✓ Fixed in 2.9.6

2020-03-16

vulnerable: 1.0 ... 2.9.5 (167 versions)

A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file wit…

CVE-2020-1746MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.9.7

2020-05-12

vulnerable: 2.7.0 ... 2.9.6 (35 versions)

A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr…

CVE-2020-1753MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.9.7

2020-03-16

vulnerable: 1.0 ... 2.9.6 (171 versions)

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive par…

CVE-2020-25635MEDIUMCVSS 5.0EG 5.0✓ Fixed in 2.10.1

2020-10-05

vulnerable: 1.0 ... 2.9.27rc1 (246 versions)

A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confident…

CVE-2021-20178MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.9.18

2021-05-26

vulnerable: 1.0 ... 2.9.9 (214 versions)

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_p…

CVE-2021-20180MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.9.18

2022-03-16

vulnerable: 2.9.0 ... 2.9.9 (29 versions)

A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This flaw allows an attacker to steal bitbucket_p…

CVE-2021-20191MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.10.7

2021-05-26

vulnerable: 1.0 ... 2.9.9 (212 versions)

A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage of this information to steal those creden…

CVE-2021-20228HIGHCVSS 7.5EG 7.5✓ Fixed in 2.9.19

2021-04-29

vulnerable: 1.0 ... 2.9.19rc1 (216 versions)

A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. This flaw allows an attacker to obtain sensit…

CVE-2021-3447MEDIUMCVSS 5.5EG 5.5✓ Fixed in 1.2.2

2021-04-01

vulnerable: 1.0, 1.1, 1.2, 1.2.1

A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the controller node when run in verbose mode. These p…

CVE-2021-3583HIGHCVSS 7.1EG 7.1✓ Fixed in 2.9.23

2021-09-22

vulnerable: 1.0 ... 2.9.9 (224 versions)

A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-line YAML strings and the facts being handl…

CVE-2021-3620MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.9.27

2022-03-03

vulnerable: 1.0 ... 2.9.9 (232 versions)

A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confi…

CVE-2022-3697HIGHCVSS 7.5EG 7.5✓ Fixed in 7.0.0

2022-10-28

vulnerable: 2.10.0 ... 7.0.0rc1 (230 versions)

A flaw was found in Ansible in the amazon.aws collection when using the tower_callback parameter from the amazon.aws.ec2_instance module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter …

CVE-2023-5115MEDIUMCVSS 6.3EG 6.3✓ Fixed in 8.5.0

2023-12-18

vulnerable: 1.0 ... 8.4.0 (332 versions)

An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extr…

CVE-2025-14010MEDIUMCVSS 5.5EG 5.5✓ Fixed in 12.2.0

2025-12-04

vulnerable: 1.0 ... 9.9.0 (404 versions)

A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attacke…

ansible

CVEs affecting ansiblepage 2 of 2

Check whether ansible is used in your infrastructure