Ansible, Inc. is highly committed to the security of our solutions, including Ansible, Tower, and our supporting infrastructure. Reports or security concerns can be reported by email to firstname.lastname@example.org and we will respond promptly. We practice responsible disclosure and will update software promptly when we agree an update is required.
In conjunction with a report to us, we will gladly disclose the nature of problems reported, but request a reasonable amount of time to update our software before an announcement is made. We may also need some time to evaluate the problem and explore details with you, depending on the nature of the report - and would like to agree on an date for release of the disclosure information that can coincide with a software update.
We'll also happily credit researchers in the announcement of vulnerabilities in our list announcements.
- CVE-2016-9587 - Command injection by compromised server - resolved in Ansible 2.1.4/2.2.1
- CVE-2016-8628 - Command injection by compromised server via fact variables - resolved in Ansible 2.1.3/2.2
- CVE-2016-8614 - apt_key module not properly validating keys in some situations - resolved in Ansible 2.1.3/2.2
- CVE-2016-3096 - Symlink exploit in lxc_container module - resolved in Ansible 1.9.6/2.0.2
- CVE-2015-3908 - Ensure that hostnames match certificate names when using HTTPS - resolved in Ansible 1.9.2
- CVE-2015-6240 - Improper symlink handling in zone, jail, and chroot connection plugins could lead to escape from confined environment - resolved in Ansible 1.9.2
- Number pending - Arbitrary execution from data from compromised remote hosts or local data when using a legacy Ansible syntax - resolved in Ansible 1.7
- Number pending - ansible-galaxy command when used on local tarballs (and not galaxy.ansible.com) can install a malformed tarball if so provided - resolved in Ansible 1.7
- CVE-2014-4966 - Arbitrary execution from data from compromised remote hosts or untrusted local data - resolved in Ansible 1.6.7
- CVE-2014-4678 - Incomplete Fix Remote Code Execution Vulnerability - Fixed in Ansible 1.6.4
- CVE-2013-4260 - Local symlink exploit - resolved in Ansible 1.2.3
- CVE-2013-4259 - Local symlink exploit exploit - resolved in Ansible 1.2.3
- CVE-2013-2233 - Request to enable host key checking in paramiko connection type - resolved in Ansible 1.2.1
- CVE-2016-7070 - Insecure default PostgreSQL configuration - resolved in Tower 3.0.3
- CVE-2015-1482 - Information leak via WebSockets - resolved in Tower 2.0.5
- CVE-2015-1481 - Potential privelege escalation for organization admins - resolved in Tower 2.0.5
- CVE-2015-1368 - XSS vulnerability - resolved in Tower 2.0.5