Christmas is closing by and we move in to the christmas feelings
we wanted to write something extra for christmas.
A tool we all love more then santa is Ansible !
Ansible is a opensource tool written in Python
used by system administrators to manage and deploy computer
servers and virtual machines.
Several vulnerabilities has now been reported that affects
A vulnerability has been reported and found in Ansible Tower
which is a project by Red Hat.
A bug was found in Ansible Tower where the RHSM credentials
are saved in plain text in the database
that is available at ‘/api/v2/config’ after applying
the Ansible Tower license. Attackers with this information
could log into RHSM(Red Hat Subscription Management)
and modify licenses and make other changes.
The vulnerability has been given the CVE of CVE-2019-14890
The bug has been reported to redhat and patched in
the following link:
Summary from the github issue
Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated (CVE-2019-14856) Update AnsibleUnsafeText and AnsibleUnsafeBytes to maintain unsafe context by overriding .encode and .decode. This prevents future issues with to_text, to_bytes, or to_native removing the unsafe wrapper when converting between string types (CVE-2019-14856)
The patch for this vulnerability has been patched and the
code has changed
bugfixes: - > **security issue** - Convert CLI provided passwords to text initially, to prevent unsafe context being lost when converting from bytes->text during post processing of PlayContext. This prevents CLI provided passwords from being incorrectly templated. - > **security issue** - Update ``AnsibleUnsafeText`` and ``AnsibleUnsafeBytes`` to maintain unsafe context by overriding ``.encode`` and ``.decode``. This prevents future issues with ``to_text``, ``to_bytes``, or ``to_native`` removing the unsafe wrapper when converting between string types.
The vulnerability has been given the CVE of CVE-2019-14856
A vulnerability was found in the gcp_storage_object.py
function which cause the a failure when calling the
The vulnerability has been given the CVE of CVE-2019-10217
The vulnerability was quickly reported to ansible
throw a github issue the problem was quickly addressed
and patched. https://github.com/ansible/ansible/issues/56269
From us all to you all, we from firo wishes you a merry christmas
with a happy anouncement that we have pas over 300 000 unique views
on this blog! We are happy to provide you with this blog
and happily wishes you a merry christmas and a happy new year
This blog post is part of the exploit of the day series
where we write a shorter description about interesting
exploits that we index.