Abadger

**Name of the Vulnerable Software and Affected Versions** ansible-runner version 2.0.0 **Description** A flaw was found in ansible-runner where the default temporary files configuration is written to world R/W locations. This flaw allows an attacker to pre-create the directory, resulting in reading private information or forcing ansible-runner to write files as the legitimate user in a place they did not expect. The highest threat from this vulnerability is to confidentiality and integrity. **Recommendations** For version 2.0.0, consider changing the default temporary files configuration to a secure location to prevent unauthorized access. As a temporary workaround, restrict write access to the temporary files directory to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ansible-runner (affected versions not specified) **Description** A race condition flaw was found, allowing an attacker to potentially access ansible-runner's private data dir by substituting their directory at the name of a temporary directory. This flaw poses a threat to integrity and confidentiality. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** convert2rhel (affected versions not specified) **Description** The issue is related to a flaw in convert2rhel, where it passes the Red Hat account password to subscription-manager via the command line. This could allow unauthorized users locally on the machine to view the password via the process command line using tools like htop or ps. The impact varies depending on the privileges of the Red Hat account, potentially affecting the integrity, availability, and/or data confidentiality of other systems administered by that account. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible Engine versions 2.7.x through 2.7.16 Ansible Engine versions 2.8.x through 2.8.10 Ansible Engine versions 2.9.x through 2.9.6 Ansible Tower versions 3.4.5 and earlier Ansible Tower versions 3.5.5 and earlier Ansible Tower version 3.6.3 **Description** A flaw was found in the Ansible Engine affecting data confidentiality. The issue discloses the LDAP bind password to stdout or a log file if a playbook task is written using the `bind pw` in the parameters field when the ldap attr and ldap entry community modules are used. The highest threat from this vulnerability is data confidentiality. **Recommendations** For Ansible Engine versions 2.7.x through 2.7.16, update to version 2.7.17 or later. For Ansible Engine versions 2.8.x through 2.8.10, update to version 2.8.11 or later. For Ansible Engine versions 2.9.x through 2.9.6, update to version 2.9.7 or later. For Ansible Tower versions 3.4.5 and earlier, update to a version later than 3.4.5. For Ansible Tower versions 3.5.5 and earlier, update to a version later than 3.5.5. For Ansible Tower version 3.6.3, update to a version later than 3.6.3. As a temporary workaround, consider avoiding the use of the `bind pw` parameter in playbook tasks until a patch is available. Restrict access to the ldap attr and ldap entry community modules to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Ansible versions up to 2.8.5 Ansible versions up to 2.7.13 Ansible versions up to 2.6.19 Ansible versions up to 3.5 **Description** The issue is related to the disclosure of information through log files in Ansible. Exploitation of this issue may allow an attacker to gain unauthorized access to protected information. The problem arises when a plugin uses a library that logs credentials at the DEBUG level. However, this flaw does not affect Ansible modules since they are executed in a separate process. **Recommendations** For versions up to 2.8.5, consider disabling the DEBUG level logging until a patch is available. For versions up to 2.7.13, restrict access to log files to minimize the risk of exploitation. For versions up to 2.6.19, avoid using plugins that log credentials at the DEBUG level until the issue is resolved. For versions up to 3.5, as a temporary workaround, consider disabling the logging of credentials at the DEBUG level.

**Name of the Vulnerable Software and Affected Versions** Ansible versions 2.3.x through 2.3.2 Ansible versions 2.4.x through 2.4.0 **Description** A flaw was found in the way Ansible passed certain parameters to the jenkins plugin module, allowing remote attackers to expose sensitive information from a remote host's logs. The issue was resolved by not allowing passwords to be specified in the `params` argument. **Recommendations** For Ansible versions 2.3.x through 2.3.2, update to version 2.3.3 or later. For Ansible versions 2.4.x through 2.4.0, update to version 2.4.1 or later.