GCVE - cpe:2.3:a:[unknown]:ansible:*:*:*:*:*:*:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:[unknown]:ansible:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	[Unknown] (`5b07108a-8f0c-5d28-ab99-c4ff62adb460`)
Product	Ansible (`04b8bf1b-56bb-5cdc-8d64-7d5958e60ce0`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2019-14856`	vulnerable	2026-06-03 14:39:46.710936	Details available MEDIUM (6.4) ansible before versions 2.8.6, 2.7.14, 2.6.20 is vulnerable to a None Published: 2019-11-26T13:01:31.000Z Updated: 2024-08-05T00:26:39.119Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2020:0756 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-16837`	vulnerable	2026-06-03 14:38:21.055401	Details available HIGH (7.8) Ansible "User" module leaks any data which is passed on as a parameter to ssh-keygen. This could lean in undesirable situations such as passphrases credentials passed as a parameter for the ssh-keygen executable. Showing those credentials in clear text form for every user which have access just to the process list. Published: 2018-10-23T15:00:00.000Z Updated: 2024-08-05T10:32:54.010Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2018:3460 http://www.securityfocus.com/bid/105700 https://access.redhat.com/errata/RHSA-2018:3462 https://access.redhat.com/errata/RHSA-2018:3505 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16837	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-10875`	vulnerable	2026-06-03 14:38:00.349290	Details available HIGH (7.8) A flaw was found in ansible. ansible.cfg is read from the current working directory which can be altered to make it point to a plugin or a module path under the control of an attacker, thus allowing the attacker to execute arbitrary code. Published: 2018-07-13T22:00:00.000Z Updated: 2024-08-05T07:46:47.518Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2152 https://access.redhat.com/errata/RHSA-2018:2150 http://www.securitytracker.com/id/1041396 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10875	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-10874`	vulnerable	2026-06-03 14:38:00.345170	Details available HIGH (7.8) In ansible it was found that inventory variables are loaded from current working directory when running ad-hoc command which are under attacker's control, allowing to run arbitrary code as a result. Published: 2018-07-02T13:00:00.000Z Updated: 2024-08-05T07:46:47.224Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2018:2166 https://access.redhat.com/errata/RHSA-2018:2152 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10874 https://access.redhat.com/errata/RHSA-2018:2150 http://www.securitytracker.com/id/1041396	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2018-10855`	vulnerable	2026-06-03 14:38:00.289861	Details available MEDIUM (5.9) Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible. Published: 2018-07-02T18:00:00.000Z Updated: 2024-08-05T07:46:47.397Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2018:1949 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855 https://access.redhat.com/errata/RHBA-2018:3788 https://access.redhat.com/errata/RHSA-2018:1948 https://access.redhat.com/errata/RHSA-2018:2184	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-7481`	vulnerable	2026-06-03 14:37:32.053831	Details available MEDIUM (5.3) Ansible before versions 2.3.1.0 and 2.4.0.0 fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as 'unsafe' and is not evaluated. Published: 2018-07-19T13:00:00.000Z Updated: 2024-08-05T16:04:11.540Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2017:1599 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7481 https://access.redhat.com/errata/RHSA-2017:1334 http://www.securityfocus.com/bid/98492 https://github.com/ansible/ansible/commit/ed56f51f185a1ffd7ea57130d260098686fcc7c2	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2017-7466`	vulnerable	2026-06-03 14:37:32.015495	Details available HIGH (8) Ansible before version 2.3 has an input validation vulnerability in the handling of data sent from client systems. An attacker with control over a client system being managed by Ansible, and the ability to send facts back to the Ansible server, could use this flaw to execute arbitrary code on the Ansible server using the Ansible server privileges. Published: 2018-06-22T13:00:00.000Z Updated: 2024-08-05T16:04:11.382Z Open on db.gcve.eu Reference links https://access.redhat.com/errata/RHSA-2017:1599 https://access.redhat.com/errata/RHSA-2017:1334 http://www.securityfocus.com/bid/97595 https://access.redhat.com/errata/RHSA-2017:1685 https://access.redhat.com/errata/RHSA-2017:1244	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.