ansible-core-2.12.2.tar.gz: 7 vulnerabilities (highest severity is: 7.3) #48
Description
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Dependency | Type | Fixed in (ansible-core version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2023-4237 |  High |
7.3 | ansible-core-2.12.2.tar.gz | Direct | N/A | ❌ |
| CVE-2023-5764 | High |
7.1 | ansible-core-2.12.2.tar.gz | Direct | 2.14.12 | ✅ |
| CVE-2024-9902 |  Medium |
6.3 | ansible-core-2.12.2.tar.gz | Direct | 2.14.18 | ✅ |
| CVE-2023-5115 | Medium |
6.3 | ansible-core-2.12.2.tar.gz | Direct | 2.13.13 | ✅ |
| CVE-2024-8775 | Medium |
5.5 | ansible-core-2.12.2.tar.gz | Direct | 2.16.14 | ✅ |
| CVE-2024-11079 | Medium |
5.5 | ansible-core-2.12.2.tar.gz | Direct | 2.16.14 | ✅ |
| CVE-2024-0690 | Medium |
5.0 | ansible-core-2.12.2.tar.gz | Direct | ansible-core - 2.14.14,2.15.9,2.16.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2023-4237
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A flaw was found in the Ansible Automation Platform. When creating a new keypair, the ec2_key module prints out the private key directly to the standard output. This flaw allows an attacker to fetch those keys from the log files, compromising the system's confidentiality, integrity, and availability.
Publish Date: 2023-10-04
URL: CVE-2023-4237
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2023-5764
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A template injection flaw was found in Ansible where a user's controller internal templating operations may remove the unsafe designation from template data. This issue could allow an attacker to use a specially crafted file to introduce templating injection when supplying templating data.
Publish Date: 2023-12-12
URL: CVE-2023-5764
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2023-5764
Release Date: 2023-12-12
Fix Resolution: 2.14.12
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-9902
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A flaw was found in Ansible. The ansible-core "user" module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the "user" module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-11-06
URL: CVE-2024-9902
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2024-11-06
Fix Resolution: 2.14.18
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2023-5115
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An absolute path traversal attack exists in the Ansible automation platform. This flaw allows an attacker to craft a malicious Ansible role and make the victim execute the role. A symlink can be used to overwrite a file outside of the extraction path.
Publish Date: 2023-12-18
URL: CVE-2023-5115
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-12-18
Fix Resolution: 2.13.13
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-8775
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
Publish Date: 2024-09-14
URL: CVE-2024-8775
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-jpxc-vmjf-9fcj
Release Date: 2024-09-14
Fix Resolution: 2.16.14
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-11079
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
Publish Date: 2024-11-11
URL: CVE-2024-11079
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-11079
Release Date: 2024-11-11
Fix Resolution: 2.16.14
⛑️ Automatic Remediation will be attempted for this issue.
CVE-2024-0690
Vulnerable Library - ansible-core-2.12.2.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/20/29/261882cb36120e22804f0579da6e13421d719ccbde4ccdffe3f54368c503/ansible-core-2.12.2.tar.gz
Path to dependency file: /requirements.txt
Path to vulnerable library: /tmp/ws-ua_20251126140837_YAOJPN/python_UBHLPJ/20251126140838/ansible-core-2.12.2.tar.gz
Dependency Hierarchy:
- ❌ ansible-core-2.12.2.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
Publish Date: 2024-02-06
URL: CVE-2024-0690
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2024-0690
Release Date: 2024-02-06
Fix Resolution: ansible-core - 2.14.14,2.15.9,2.16.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.