English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.892535
Category:Debian Local Security Checks
Title:Debian: Security Advisory (DLA-2535-1)
Summary:The remote host is missing an update for the Debian 'ansible' package(s) announced via the DLA-2535-1 advisory.
Description:Summary:
The remote host is missing an update for the Debian 'ansible' package(s) announced via the DLA-2535-1 advisory.

Vulnerability Insight:
Several security vulnerabilities were discovered in ansible, a configuration management, deployment, and task execution system.

CVE-2017-7481

Ansible fails to properly mark lookup-plugin results as unsafe. If an attacker could control the results of lookup() calls, they could inject Unicode strings to be parsed by the jinja2 templating system, resulting in code execution. By default, the jinja2 templating language is now marked as unsafe and is not evaluated.

CVE-2019-10156

A flaw was discovered in the way Ansible templating was implemented, causing the possibility of information disclosure through unexpected variable substitution. By taking advantage of unintended variable substitution the content of any variable may be disclosed.

CVE-2019-14846

Ansible was logging at the DEBUG level which lead to a disclosure of credentials if a plugin used a library that logged credentials at the DEBUG level. This flaw does not affect Ansible modules, as those are executed in a separate process.

CVE-2019-14904

A flaw was found in the solaris_zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the ps bare command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host.

For Debian 9 stretch, these problems have been fixed in version 2.2.1.0-2+deb9u2.

We recommend that you upgrade your ansible packages.

For the detailed security status of ansible please refer to its security tracker page at: [link moved to references]

Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: [link moved to references]

Affected Software/OS:
'ansible' package(s) on Debian 9.

Solution:
Please install the updated package(s).

CVSS Score:
7.5

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:P/A:P

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2017-7481
BugTraq ID: 98492
http://www.securityfocus.com/bid/98492
https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
RedHat Security Advisories: RHSA-2017:1244
https://access.redhat.com/errata/RHSA-2017:1244
RedHat Security Advisories: RHSA-2017:1334
https://access.redhat.com/errata/RHSA-2017:1334
RedHat Security Advisories: RHSA-2017:1476
https://access.redhat.com/errata/RHSA-2017:1476
RedHat Security Advisories: RHSA-2017:1499
https://access.redhat.com/errata/RHSA-2017:1499
RedHat Security Advisories: RHSA-2017:1599
https://access.redhat.com/errata/RHSA-2017:1599
RedHat Security Advisories: RHSA-2017:2524
https://access.redhat.com/errata/RHSA-2017:2524
https://usn.ubuntu.com/4072-1/
Common Vulnerability Exposure (CVE) ID: CVE-2019-10156
Debian Security Information: DSA-4950 (Google Search)
https://www.debian.org/security/2021/dsa-4950
https://lists.debian.org/debian-lts-announce/2019/09/msg00016.html
RedHat Security Advisories: RHSA-2019:3744
https://access.redhat.com/errata/RHSA-2019:3744
RedHat Security Advisories: RHSA-2019:3789
https://access.redhat.com/errata/RHSA-2019:3789
Common Vulnerability Exposure (CVE) ID: CVE-2019-14846
https://lists.debian.org/debian-lts-announce/2020/05/msg00005.html
RedHat Security Advisories: RHSA-2019:3201
https://access.redhat.com/errata/RHSA-2019:3201
RedHat Security Advisories: RHSA-2019:3202
https://access.redhat.com/errata/RHSA-2019:3202
RedHat Security Advisories: RHSA-2019:3203
https://access.redhat.com/errata/RHSA-2019:3203
RedHat Security Advisories: RHSA-2019:3207
https://access.redhat.com/errata/RHSA-2019:3207
RedHat Security Advisories: RHSA-2020:0756
https://access.redhat.com/errata/RHSA-2020:0756
SuSE Security Announcement: openSUSE-SU-2020:0513 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
SuSE Security Announcement: openSUSE-SU-2020:0523 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
Common Vulnerability Exposure (CVE) ID: CVE-2019-14904
https://bugzilla.redhat.com/show_bug.cgi?id=1776944
https://github.com/ansible/ansible/pull/65686
CopyrightCopyright (C) 2021 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.