Ansible by Red Hat is highly committed to the security of our open source projects (including Ansible and AWX), our commercial solutions (including Ansible Tower and the Red Hat Ansible Automation Platform), and our supporting infrastructure. Reports or security concerns can be reported by email to firstname.lastname@example.org and we will respond promptly. We practice responsible disclosure and will update software promptly when we agree an update is required.
In conjunction with a report to us, we will gladly disclose the nature of problems reported, but request a reasonable amount of time to update our software before an announcement is made. We may also need some time to evaluate the problem and explore details with you, depending on the nature of the report - and would like to agree on an date for release of the disclosure information that can coincide with a software update.
We'll also happily credit researchers in the announcement of vulnerabilities in our list announcements.
CVE-2021-20228 - Mask default and fallback values for `no_log` module options - resolved in 2.9.18
CVE-2021-20191 - Various modules missing `no_log` on sensitive module arguments - resolved in 2.9.18
CVE-2021-20180 - bitbucket_pipeline_variable - hide user sensitive information which are marked as `secured` from logging into the console (similar to CVE-2021-20191) - resolved in 2.9.18
CVE-2021-20178 - snmp_facts - hide user sensitive information such as ``privkey`` and ``authkey`` from logging into the console (similar to CVE-2021-20191) - resolved in 2.9.18
CVE-2020-1753 - kubectl connection plugin - now redacts kubectl_token and kubectl_password in console log (similar to CVE-2021-20191) - resolved in 2.9.14
CVE-2020-14365 - packages installed with the `dnf` module were previously not GPG-validated - resolved in 2.9.13
CVE-2020-14332 - copy - Redact the value of the no_log 'content' parameter in the result's invocation.module_args in check mode. - resolved in 2.9.12
CVE-2020-14330 - uri - Sanitize no_log values from any response keys that might be returned - resolved in 2.9.12
CVE-2020-1746 - ldap_attr, ldap_entry - The `params` option has been removed in ansible-base 2.10; setting `bind_pw` via `params` has been disallowed in earlier ansible versions. - resolved in 2.9.7
CVE-2020-1739 - subversion - password no longer provided via command-line arguments, instead taken from standard input. - resolved in 2.9.7
CVE-2020-1737 - win_unzip - paths in archive are now normalized to ensure extracted files do not escape from the target directory - resolved in 2.9.7
CVE-2020-1740 - vault - temporary vault file is now created with strict permissions and a race condition is eliminated - resolved in 2.9.7
CVE-2020-1733 - error if remote temporary directory already exists instead of continuing to use it - resolved in 2.9.7
CVE-2020-1735 - fetch action - avoid using slurp return data to set up destination directory on controller node - resolved in 2.9.7
CVE-2020-10691 - ansible-galaxy - error when install finds a tar with a file that will be extracted outside the collection install directory - resolved in 2.9.7
CVE-2019-14904 - solaris_zone - command injection via zone name - resolved in 2.9.3
CVE-2019-14905 - nxos_file_copy - command injection via `remote_file` parameter - resolved in 2.9.3
CVE-2019-14864 - splunk and sumologic callback plugins leak sensitive data in logs - resolved in 2.9.1
CVE-2019-14856 - password prompts in ansible-playbook and ansible CLI tools could expose passwords with special characters as they were not properly wrapped - resolved in 2.9.0
CVE-2019-14858 - properly hide parameters marked with ``no_log`` in suboptions when invalid parameters are passed to the module - resolved in 2.9.0