cve,link,title,description,vendor,products,score,severity,epss,cisa,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-11079,https://securityvulnerability.io/vulnerability/CVE-2024-11079,Ansible-Core Vulnerability Allows Bypass of Unsafe Content Protections,A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.,Red Hat,"Red Hat Ansible Automation Platform 2,Red Hat Enterprise Linux Ai (rhel Ai)",5.5,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-11-12T00:15:00.000Z,0
CVE-2024-10033,https://securityvulnerability.io/vulnerability/CVE-2024-10033,Aap-gateway: xss on aap-gateway,"A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the ""?next="" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.",Red Hat,"Red Hat Ansible Automation Platform 2.5 For Rhel 8,Red Hat Ansible Automation Platform 2.5 For Rhel 9",6.1,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-10-16T17:15:00.000Z,0
CVE-2024-9979,https://securityvulnerability.io/vulnerability/CVE-2024-9979,Use-After-Free Vulnerability in PyO3 Could Lead to Memory Corruption or Crashes,"A flaw in PyO3 enables a use-after-free issue that can result in memory corruption or application crashes. This vulnerability stems from unsound borrowing from weak Python references, which could be exploited by attackers or inadvertently trigger instability in applications that rely on the affected library. Developers utilizing PyO3 should review their code for instances that may be influenced by this vulnerability and ensure they adopt the latest secure version to mitigate potential risks.",Red Hat,"Red Hat Ansible Automation Platform 2,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9",5.3,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-10-15T14:01:54.309Z,0
CVE-2024-9620,https://securityvulnerability.io/vulnerability/CVE-2024-9620,Ansible Automation Platform vulnerability,"A critical flaw exists in the Event-Driven Automation (EDA) component of the Ansible Automation Platform, whereby sensitive information is transmitted and stored without encryption. This vulnerability exposes plaintext data to attackers with network access, who could intercept unprotected communications between the EDA and AAP. Additionally, attackers with system access could gain access to sensitive information stored in the EDA and AAP databases, further compromising data integrity. Organizations leveraging this platform should take immediate steps to mitigate the risk associated with this vulnerability to safeguard their sensitive information.",Red Hat,Red Hat Ansible Automation Platform 2,5.3,MEDIUM,0.0004600000102072954,false,false,false,false,,false,false,2024-10-08T16:25:39.944Z,0
CVE-2024-8775,https://securityvulnerability.io/vulnerability/CVE-2024-8775,Ansible Vault Flaw Exposes Sensitive Information in Plaintext,"A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.",Red Hat,"Red Hat Ansible Automation Platform 2,Red Hat Enterprise Linux Ai (rhel Ai)",5.5,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-09-14T03:15:00.000Z,0
CVE-2024-1657,https://securityvulnerability.io/vulnerability/CVE-2024-1657,Insecure WebSocket Connection in Ansible Rulebook EDA Server Exposes System Data,"A vulnerability has been identified in the Ansible Automation Platform where an insecure WebSocket connection is utilized during the installation process from the Ansible rulebook EDA server. This security flaw allows an attacker with access to any machine within the same CIDR block to exploit the WebSocket, potentially leading to unauthorized downloading of all rulebook data. As a result, this vulnerability poses significant risks to the confidentiality and integrity of the system, enabling sensitive data exposures and unauthorized access to critical automation resources. Organizations using Ansible Automation Platform are advised to take immediate action to secure their WebSocket configurations and mitigate potential risks.",Red Hat,"Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9",8.1,HIGH,0.00044999999227002263,false,false,false,false,,false,false,2024-04-25T17:15:00.000Z,0
CVE-2024-1394,https://securityvulnerability.io/vulnerability/CVE-2024-1394,Memory Leak Vulnerability in Golang RSA Code Could Lead to Resource Exhaustion,"A memory leak flaw has been identified in the RSA encrypting and decrypting code of the Golang FIPS OpenSSL library. This issue arises from improper handling of named return parameters, specifically within the RSA library's context initialization process. When errors occur during context initialization or property settings, the related pointers, namely 'pkey' and 'ctx', are left unfreed, leading to a potential resource exhaustion vulnerability. Attackers can exploit this flaw through crafted inputs, causing the application to exhaust memory resources.",Red Hat,"Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9,Red Hat Developer Tools,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 9.0 Update Services For SAP Solutions,Red Hat Enterprise Linux 9.2 Extended Update Support,Red Hat Openshift Container Platform 4.12,Red Hat Openshift Container Platform 4.13,Red Hat Openshift Container Platform 4.14,Red Hat Openshift Container Platform 4.15,Red Hat Openstack Platform 16.2,Red Hat Openstack Platform 17.1 For Rhel 8,Red Hat Openstack Platform 17.1 For Rhel 9,Rhodf-4.16-rhel-9,Nbde Tang Server,Openshift Developer Tools And Services,Openshift Pipelines,Openshift Serverless,Red Hat Ansible Automation Platform 1.2,Red Hat Ansible Automation Platform 2,Red Hat Certification For Red Hat Enterprise Linux 8,Red Hat Certification For Red Hat Enterprise Linux 9,Red Hat Enterprise Linux 7,Red Hat Openshift Container Platform 4,Red Hat Openshift Container Storage 4,Red Hat Openshift Dev Spaces,Red Hat Openshift Gitops,Red Hat Openshift On Aws,Red Hat Openshift Virtualization 4,Red Hat Openstack Platform 16.1,Red Hat Openstack Platform 17.1,Red Hat Openstack Platform 18.0,Red Hat Service Interconnect 1,Red Hat Software Collections,Red Hat Storage 3",7.5,HIGH,0.0006900000153109431,false,false,false,false,,false,false,2024-03-21T12:16:38.790Z,0
CVE-2023-6681,https://securityvulnerability.io/vulnerability/CVE-2023-6681,JWCrypto Vulnerability Could Lead to Denial of Service and Password Brute-Force Attacks,"A vulnerability was found in JWCrypto. This flaw allows an attacker to cause a denial of service (DoS) attack and possible password brute-force and dictionary attacks to be more resource-intensive. This issue can result in a large amount of computational consumption, causing a denial of service attack.",Red Hat,"Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Red Hat Ansible Automation Platform 2,Red Hat Enterprise Linux 7",5.3,MEDIUM,0.0005200000014156103,false,false,false,false,,false,false,2024-02-12T14:04:45.113Z,0
CVE-2024-0690,https://securityvulnerability.io/vulnerability/CVE-2024-0690,An Information Disclosure Flaw in Ansible-Core Could Lead to Sensitive Data Exposure,"An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.",Red Hat,"Ansible,Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Fedora 38,Fedora 39,Extra Packages For Enterprise Linux 8",5.5,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2024-02-06T12:00:28.505Z,0
CVE-2023-50782,https://securityvulnerability.io/vulnerability/CVE-2023-50782,Remote Decryption Vulnerability in TLS Servers Using RSA Key Exchanges,"A vulnerability has been identified in the python-cryptography package that may allow remote attackers to decrypt captured messages during TLS sessions employing RSA key exchanges. This can lead to significant risks, including the unintended exposure of confidential or sensitive data. Given the widespread use of TLS for securing communications, it is crucial for users and administrators to evaluate their systems and apply necessary updates to mitigate this risk. The flaw underscores the importance of maintaining robust security measures while using cryptographic libraries.",Red Hat,"Red Hat Ansible Automation Platform 2,Red Hat Enterprise Linux 7,Red Hat Enterprise Linux 8,Red Hat Enterprise Linux 9,Red Hat Satellite 6,Red Hat Update Infrastructure 4 For Cloud Providers",7.5,HIGH,0.0010600000387057662,false,false,false,false,,false,false,2024-02-05T20:45:49.705Z,0
CVE-2023-5115,https://securityvulnerability.io/vulnerability/CVE-2023-5115,Ansible: malicious role archive can cause ansible-galaxy to overwrite arbitrary files,An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.,Red Hat,"Red Hat Ansible Automation Platform 2.3 For Rhel 8,Red Hat Ansible Automation Platform 2.3 For Rhel 9,Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9,Red Hat Ansible Automation Platform 1.2",6.3,MEDIUM,0.0010499999625608325,false,false,false,false,,false,false,2023-12-18T14:15:00.000Z,0
CVE-2023-5764,https://securityvulnerability.io/vulnerability/CVE-2023-5764,Ansible: template injection,A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.,Red Hat,"Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9",7.1,HIGH,0.0004199999966658652,false,false,false,false,,false,false,2023-12-12T22:15:00.000Z,0
CVE-2023-5189,https://securityvulnerability.io/vulnerability/CVE-2023-5189,Hub: insecure galaxy-importer tarfile extraction,"A path traversal vulnerability exists in Ansible when extracting tarballs. An attacker could craft a malicious tarball so that when using the galaxy importer of Ansible Automation Hub, a symlink could be dropped on the disk, resulting in files being overwritten.",Red Hat,"Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9,Red Hat Satellite 6.14 For Rhel 8,Red Hat Satellite 6.15 For Rhel 8",6.5,MEDIUM,0.001290000043809414,false,false,false,false,,false,false,2023-11-14T23:15:00.000Z,0
CVE-2022-3248,https://securityvulnerability.io/vulnerability/CVE-2022-3248,"Openshift api admission checks does not enforce ""custom-host"" permissions","A flaw was found in OpenShift API, as admission checks do not enforce ""custom-host"" permissions. This issue could allow an attacker to violate the boundaries, as permissions will not be applied.",Red Hat,"Kubernetes,Red Hat Advanced Cluster Management For Kubernetes 2,Red Hat Ansible Automation Platform 1.2,Red Hat Ansible Tower 3,Red Hat Openshift Container Platform 3.11,Red Hat Openshift Container Platform 4",4.4,MEDIUM,0.0006900000153109431,false,false,false,false,,false,false,2023-10-05T13:28:27.973Z,0
CVE-2023-3971,https://securityvulnerability.io/vulnerability/CVE-2023-3971,Controller: html injection in custom login info,"An HTML injection vulnerability exists in the user interface settings of Red Hat Controller, which allows attackers to inject malicious HTML code. This can lead to the creation of custom login pages designed to capture user credentials. As a result, attackers may gain unauthorized access to sensitive information by tricking users into entering their credentials on these fraudulent pages.",Red Hat,"Red Hat Ansible Automation Platform 2.3 For Rhel 8,Red Hat Ansible Automation Platform 2.3 For Rhel 9,Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9",7.3,HIGH,0.0015200000489130616,false,false,false,true,true,false,false,2023-10-04T15:15:00.000Z,0
CVE-2023-4380,https://securityvulnerability.io/vulnerability/CVE-2023-4380,Platform: token exposed at importing project,"A logic flaw exists in Ansible Automation platform. Whenever a private project is created with incorrect credentials, they are logged in plaintext. This flaw allows an attacker to retrieve the credentials from the log, resulting in the loss of confidentiality, integrity, and availability.",Red Hat,"Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9",6.3,MEDIUM,0.0009200000204145908,false,false,false,false,,false,false,2023-10-04T15:15:00.000Z,0
CVE-2023-4237,https://securityvulnerability.io/vulnerability/CVE-2023-4237,Platform: ec2_key module prints out the private key directly to the standard output,"A vulnerability exists within the Ansible Automation Platform that causes the ec2_key module to expose private keys to standard output when generating new keypairs. This flaw can lead to unauthorized access if attackers can access log files, thus compromising the confidentiality and integrity of the system. Users of the Ansible Automation Platform should review their logging practices and ensure proper security measures are taken to protect sensitive information.",Red Hat,"Red Hat Ansible Automation Platform 2.4 For Rhel 8,Red Hat Ansible Automation Platform 2.4 For Rhel 9",7.3,HIGH,0.0004199999966658652,false,false,false,false,,false,false,2023-10-04T15:15:00.000Z,0
CVE-2022-3205,https://securityvulnerability.io/vulnerability/CVE-2022-3205,Controller: cross site scripting in automation controller ui,Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection,Red Hat,"Red Hat Ansible Automation Platform 1.2,Red Hat Ansible Automation Platform 2",4.6,MEDIUM,0.0007800000021234155,false,false,false,false,,false,false,2022-09-13T19:19:46.000Z,0
CVE-2020-14332,https://securityvulnerability.io/vulnerability/CVE-2020-14332,,A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.,Red Hat,Ansible,5.5,MEDIUM,0.00046999999904073775,false,false,false,false,,false,false,2020-09-11T17:59:30.000Z,0
CVE-2020-14330,https://securityvulnerability.io/vulnerability/CVE-2020-14330,,"An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.",Red Hat,Ansible,5,MEDIUM,0.0005799999926239252,false,false,false,false,,false,false,2020-09-11T00:00:00.000Z,0
CVE-2020-10782,https://securityvulnerability.io/vulnerability/CVE-2020-10782,,"An exposure of sensitive information flaw was found in Ansible version 3.7.0. Sensitive information, such tokens and other secrets could be readable and exposed from the rsyslog configuration file, which has set the wrong world-readable permissions. The highest threat from this vulnerability is to confidentiality. This is fixed in Ansible version 3.7.1.",Red Hat,Ansible Tower,6.5,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2020-06-18T12:49:07.000Z,0
CVE-2020-10744,https://securityvulnerability.io/vulnerability/CVE-2020-10744,,"An incomplete fix was found for the fix of the flaw CVE-2020-1733 ansible: insecure temporary directory when running become_user from become directive. The provided fix is insufficient to prevent the race condition on systems using ACLs and FUSE filesystems. Ansible Engine 2.7.18, 2.8.12, and 2.9.9 as well as previous versions are affected and Ansible Tower 3.4.5, 3.5.6 and 3.6.4 as well as previous versions are affected.",Red Hat,Ansible,5,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2020-05-15T13:44:33.000Z,0
CVE-2020-1746,https://securityvulnerability.io/vulnerability/CVE-2020-1746,,A flaw was found in the Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when the ldap_attr and ldap_entry community modules are used. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the bind_pw in the parameters field. The highest threat from this vulnerability is data confidentiality.,Red Hat,Ansible,5,MEDIUM,0.00046999999904073775,false,false,false,false,,false,false,2020-05-12T17:30:47.000Z,0
CVE-2020-10685,https://securityvulnerability.io/vulnerability/CVE-2020-10685,,"A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.",Red Hat,Ansible,5,MEDIUM,0.00044999999227002263,false,false,false,false,,false,false,2020-05-11T00:00:00.000Z,0
CVE-2020-10691,https://securityvulnerability.io/vulnerability/CVE-2020-10691,,"An archive traversal flaw was found in all ansible-engine versions 2.9.x prior to 2.9.7, when running ansible-galaxy collection install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system.",Red Hat,Ansible,5.2,MEDIUM,0.0004400000034365803,false,false,false,false,,false,false,2020-04-30T16:23:36.000Z,0