Ansible by Red Hat is highly committed to the security of our open source projects (including Ansible and AWX), our commercial solutions (including Ansible Engine, and Ansible Tower), and our supporting infrastructure. Reports or security concerns can be reported by email to and we will respond promptly.  We practice responsible disclosure and will update software promptly when we agree an update is required.

In conjunction with a report to us, we will gladly disclose the nature of problems reported, but request a reasonable amount of time to update our software before an announcement is made.  We may also need some time to evaluate the problem and explore details with you, depending on the nature of the report - and would like to agree on an date for release of the disclosure information that can coincide with a software update.

We'll also happily credit researchers in the announcement of vulnerabilities in our list announcements.

Security Disclosures

Ansible and Red Hat Ansible Engine

  • CVE-2019-10156 - Unsafe template evaluation of returned module data - resolved in 2.6.18, 2.7.12, and 2.8.2
  • CVE-2019-3828 - Path traversal vulnerability in "fetch" module - resolved in 2.5.15, 2.6.14, and 2.7.8
  • CVE-2018-16876 - Information leak when `no_log` is used with -vvv or higher - resolved in 2.5.14, 2.6.11, and 2.7.5
  • CVE-2018-16857 - Information leak with ScriptBlock logging with PowerShell 5 - resolved in 2.5.13, 2.6.10, and 2.7.4
  • CVE-2018-16837- Information leak in "user" module - resolved in Ansible 2.5.11, 2.6.7 and 2.7.1
  • CVE-20180-10875 - Avoid reading `ansible.cfg` from the current directory - resolved in 2.4.6, 2.5.6, and 2.6.1
  • CVE-2018-10855 - Failed tasks in an iterative loop do not honour no_log option - resolved in Ansible 2.4.5/2.5.5
  • CVE-2017-7481 - Security issue with lookup returns not tainting the jinja2 environment - resolved in Ansible 2.3.1/2.2.3/2.1.6
  • CVE-2017-7466 - Command injection by compromised server - incomplete fix for CVE-2016-9587 - resolved in Ansible 2.2.3/2.3
  • CVE-2016-9587 - Command injection by compromised server - resolved in Ansible 2.1.4/2.2.1
  • CVE-2016-8647 - mysql_user module may fail to correctly change password - resolved in Ansible 2.1.4/2.2.1
  • CVE-2016-8628 - Command injection by compromised server via fact variables - resolved in Ansible 2.1.3/2.2
  • CVE-2016-8614 - apt_key module not properly validating keys in some situations - resolved in Ansible 2.1.3/2.2

AWX and Red Hat Ansible Tower

  • CVE-2019-3869 - Fixed an issue to no longer expose Tower service credentials to playbook runs via environment variables when running in OpenShift - resolved in Tower 3.3.5/3.4.3 and AWX 4.0.0
  • CVE-2018-16879 - Incorrect BROKER_URL setting could allow unauthorized AMQP access - resolved in Tower 3.3.3
  • CVE-2018-10884 - CSRF vulnerability - resolved in Tower 3.1.8/3.2.6 and AWX 1.0.7
  • CVE-2018-1104 - Command injection via Jinja2 variables in user-provided extra_vars - resolved in Tower 3.1.6/3.2.4
  • CVE-2018-1101 - Organization admins could modify users by adding them to their organization - resolved in Tower 3.1.6/3.2.4
  • CVE-2017-12148 - Specially crafted ad-hoc command could compromise Tower - resolved in Tower 3.0.4/3.1.5/3.2
  • CVE-2017-12148 - Potential compromise of Tower via injection of git hooks in SCM repository - resolved in Tower 3.0.4/3.1.5/3.2
  • CVE-2016-7070 - Insecure default PostgreSQL configuration - resolved in Tower 3.0.3
  • CVE-2015-1482 - Information leak via WebSockets - resolved in Tower 2.0.5
  • CVE-2015-1481 - Potential privelege escalation for organization admins - resolved in Tower 2.0.5 
  • CVE-2015-1368 - XSS vulnerability - resolved in Tower 2.0.5