Jborean93

**Name of the Vulnerable Software and Affected Versions** Ansible Engine versions prior to 2.10.6rc1 Ansible Engine versions prior to 2.9.18rc1 Ansible Engine versions prior to 2.8.19rc1 **Description** A flaw was found in the Ansible Engine, where sensitive information is not masked by default and is not protected by the `no log` feature when using the sub-option feature of the basic.py module. This allows an attacker to obtain sensitive information, with the highest threat being to confidentiality. **Recommendations** For Ansible Engine versions prior to 2.10.6rc1, update to version 2.10.6rc1 or later. For Ansible Engine versions prior to 2.9.18rc1, update to version 2.9.18rc1 or later. For Ansible Engine versions prior to 2.8.19rc1, update to version 2.8.19rc1 or later. As a temporary workaround, consider disabling the sub-option feature of the basic.py module until a patch is available. Restrict access to sensitive information to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** ansible-engine versions 2.9.x prior to 2.9.7 **Description** An archive traversal flaw was found in ansible-engine when running `ansible-galaxy collection` install. When extracting a collection .tar.gz file, the directory is created without sanitizing the filename. An attacker could take advantage to overwrite any file within the system. **Recommendations** For versions 2.9.x prior to 2.9.7, update to version 2.9.7 or later to resolve the issue. As a temporary workaround, consider restricting the use of `ansible-galaxy collection` install until a patch is applied. Avoid extracting collection .tar.gz files from untrusted sources to minimize the risk of exploitation.