Abhijeet Kasurde

**Name of the Vulnerable Software and Affected Versions** Ansible Engine versions 2.7.15 through 2.9.2 and all previous versions **Description** A flaw was found in the solaris zone module from the Ansible Community modules. When setting the name for the zone on the Solaris host, the zone name is checked by listing the process with the 'ps' command on the remote machine. An attacker could take advantage of this flaw by crafting the name of the zone and executing arbitrary commands in the remote host. **Recommendations** For Ansible Engine versions 2.7.15 through 2.9.2 and all previous versions, consider disabling the solaris zone module until a patch is available to prevent exploitation. Restrict access to the remote host to minimize the risk of arbitrary command execution. Avoid using the 'ps' command for zone name checks in the solaris zone module until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ansible versions 2.7.x through 2.7.14 Ansible versions 2.8.x through 2.8.6 Ansible versions 2.9.x through 2.9.0 **Description** The issue is related to the absence of consideration for the `no log` flag in Ansible's system management configuration modules for Splunk and Sumologic. This could allow a remote attacker to gain unauthorized access to protected information. The vulnerability affects Ansible when using Sumologic and Splunk callback plugins, causing the disclosure and collection of sensitive data when the `no log` flag is set to True. **Recommendations** For Ansible versions 2.7.x through 2.7.14, update to version 2.7.15 or later to resolve the issue. For Ansible versions 2.8.x through 2.8.6, update to version 2.8.7 or later to resolve the issue. For Ansible versions 2.9.x through 2.9.0, update to version 2.9.1 or later to resolve the issue.