Red Hat Openstack
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Red Hat Openstack.
Recent Red Hat Openstack Security Advisories
| Advisory | Title | Published |
|---|---|---|
| RHSA-2026:1958 | (RHSA-2026:1958) Important: Red Hat OpenStack Services on OpenShift 18.0 (openstack-keystone) security update | February 12, 2026 |
| RHSA-2026:1959 | (RHSA-2026:1959) Moderate: Red Hat OpenStack Services on OpenShift 18.0 (python-eventlet) security update | February 12, 2026 |
| RHSA-2025:22969 | (RHSA-2025:22969) Important: Red Hat OpenStack Platform 17.1 (libwebsockets) security update | December 9, 2025 |
| RHSA-2025:22955 | (RHSA-2025:22955) Red Hat OpenStack Platform 17.1.12 director Operator container images | December 9, 2025 |
| RHSA-2025:17500 | (RHSA-2025:17500) Important: Red Hat OpenStack Services on OpenShift 18.0 (python-django) security update | October 7, 2025 |
| RHSA-2025:17499 | (RHSA-2025:17499) Important: Red Hat OpenStack Platform 16.2 (python-django20) security update | October 7, 2025 |
| RHSA-2025:17498 | (RHSA-2025:17498) Important: Red Hat OpenStack Platform 17.1 (python-django) security update | October 7, 2025 |
| RHSA-2025:7536 | (RHSA-2025:7536) Important: Red Hat OpenStack Platform 17.1 (python-h11) security update | May 14, 2025 |
| RHSA-2025:7535 | (RHSA-2025:7535) Important: Red Hat OpenStack Platform 18.0 (python-h11) security update | May 14, 2025 |
| RHSA-2025:4187 | (RHSA-2025:4187) Moderate: Red Hat OpenStack Platform 17.1 (python-django) security update | April 24, 2025 |
By the Year
In 2026 there have been 0 vulnerabilities in Red Hat Openstack. Last year, in 2025 Openstack had 3 security vulnerabilities published. Right now, Openstack is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 3 | 5.23 |
| 2024 | 14 | 6.31 |
| 2023 | 7 | 5.11 |
| 2022 | 8 | 6.80 |
| 2021 | 2 | 7.50 |
| 2020 | 23 | 5.94 |
| 2019 | 30 | 7.18 |
| 2018 | 56 | 7.00 |
It may take a day or so for new Openstack vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Red Hat Openstack Security Vulnerabilities
Ansible-Collection-Community-General: Info Exposure via Verbose Debug Output
CVE-2025-14010
5.5 - Medium
- December 04, 2025
A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access.
Insertion of Sensitive Information into Log File
OpenStack Mistral-Dashboard LFI via Create Workbook
CVE-2021-4472
6.5 - Medium
- November 26, 2025
The mistral-dashboard plugin for openstack has a local file inclusion vulnerability through the 'Create Workbook' feature that may result in disclosure of arbitrary local files content.
External Control of File Name or Path
CIRCL FourQ RCE via Low-Order Point Injection in Diffie-Hellman
CVE-2025-8556
3.7 - Low
- August 06, 2025
A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange.
Improper Verification of Cryptographic Signature
Ansible User Module Privilege Escalation
CVE-2024-9902
6.3 - Medium
- November 06, 2024
A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner.
AuthZ
Uninitialized Buffer in Go FIPS OpenSSL May Cause False HMAC Match
CVE-2024-9355
6.5 - Medium
- October 01, 2024
A vulnerability was found in Golang FIPS OpenSSL. This flaw allows a malicious user to randomly cause an uninitialized buffer length variable with a zeroed buffer to be returned in FIPS mode. It may also be possible to force a false positive match between non-equal hashes when comparing a trusted computed hmac sum to an untrusted input sum if an attacker can send a zeroed buffer in place of a pre-computed sum. It is also possible to force a derived key to be all zeros instead of an unpredictable value. This may have follow-on implications for the Go TLS stack.
Use of Uninitialized Variable
OpenStack RHOSP openstack-tripleo-common TLS Verification Bypass MITM
CVE-2024-8007
8.1 - High
- August 21, 2024
A flaw was found in the openstack-tripleo-common component of the Red Hat OpenStack Platform (RHOSP) director. This vulnerability allows an attacker to deploy potentially compromised container images via disabling TLS certificate verification for registry mirrors, which could enable a man-in-the-middle (MITM) attack.
Improper Certificate Validation
Heap-Buffer-Overflow in Unbound cfg_mark_ports (config_file.c)
CVE-2024-43168
4.8 - Medium
- August 12, 2024
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A heap-buffer-overflow flaw was found in the cfg_mark_ports function within Unbound's config_file.c, which can lead to memory corruption. This issue could allow an attacker with local access to provide specially crafted input, potentially causing the application to crash or allowing arbitrary code execution. This could result in a denial of service or unauthorized actions on the system.
Heap-based Buffer Overflow
Unbound NULL Pointer Deref in ub_ctx_set_fwd causes DoS
CVE-2024-43167
2.8 - Low
- August 12, 2024
DISPUTE NOTE: this issue does not pose a security risk as it (according to analysis by the original software developer, NLnet Labs) falls within the expected functionality and security controls of the application. Red Hat has made a claim that there is a security risk within Red Hat products. NLnet Labs has no further information about the claim, and suggests that affected Red Hat customers refer to available Red Hat documentation or support channels. ORIGINAL DESCRIPTION: A NULL pointer dereference flaw was found in the ub_ctx_set_fwd function in Unbound. This issue could allow an attacker who can invoke specific sequences of API calls to cause a segmentation fault. When certain API functions such as ub_ctx_set_fwd and ub_ctx_resolvconf are called in a particular order, the program attempts to read from a NULL pointer, leading to a crash. This issue can result in a denial of service by causing the application to terminate unexpectedly.
NULL Pointer Dereference
OpenStack Heat Sensitive Info Leak via Stack Abandon with Hidden=True
CVE-2024-7319
5 - Medium
- August 02, 2024
An incomplete fix for CVE-2023-1625 was found in openstack-heat. Sensitive information may possibly be disclosed through the OpenStack stack abandon command with the hidden feature set to True and the CVE-2023-1625 fix applied.
Information Disclosure
RHOSP Director: Plaintext Passwords Logged in Log Files
CVE-2024-4840
5.5 - Medium
- May 14, 2024
An flaw was found in the OpenStack Platform (RHOSP) director, a toolset for installing and managing a complete RHOSP environment. Plaintext passwords may be stored in log files, which can expose sensitive information to anyone with access to the logs.
Cleartext Storage of Sensitive Information
Authenticated Registry Access Path Traversal in containers/image
CVE-2024-3727
8.3 - High
- May 14, 2024
A flaw was found in the github.com/containers/image library. This flaw allows attackers to trigger unexpected authenticated registry accesses on behalf of a victim user, causing resource exhaustion, local path traversal, and other attacks.
Improper Validation of Integrity Check Value
Red Hat OpenStack: etcd HTTP2 Fix Flaw CVE-2024-4436
CVE-2024-4436
7.5 - High
- May 08, 2024
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2022-41723. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Resource Exhaustion
Rapid Reset in Red Hat OpenStack etcd: Incomplete CVE-2023-39325/44487 Fix
CVE-2024-4438
7.5 - High
- May 08, 2024
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2023-39325/CVE-2023-44487, known as Rapid Reset. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Resource Exhaustion
Red Hat OpenStack etcd HTTP2 Dependency Issue CVE-2024-4437
CVE-2024-4437
7.5 - High
- May 08, 2024
The etcd package distributed with the Red Hat OpenStack platform has an incomplete fix for CVE-2021-44716. This issue occurs because the etcd package in the Red Hat OpenStack platform is using http://golang.org/x/net/http2 instead of the one provided by Red Hat Enterprise Linux versions, meaning it should be updated at compile time instead.
Resource Exhaustion
Memory Leak in Go RSA (golang-fips/openssl) Leads to Resource Exhaustion
CVE-2024-1394
7.5 - High
- March 21, 2024
A memory leak flaw was found in Golang in the RSA encrypting/decrypting code, which might lead to a resource exhaustion vulnerability using attacker-controlled inputs. The memory leak happens in github.com/golang-fips/openssl/openssl/rsa.go#L113. The objects leaked are pkey and ctx. That function uses named return parameters to free pkey and ctx if there is an error initializing the context or setting the different properties. All return statements related to error cases follow the "return nil, nil, fail(...)" pattern, meaning that pkey and ctx will be nil inside the deferred function that should free them.
Memory Leak
OpenStack Designate: ACL Flaw Exposes BIND Access Keys
CVE-2023-6725
5.5 - Medium
- March 15, 2024
An access-control flaw was found in the OpenStack Designate component where private configuration information including access keys to BIND were improperly made world readable. A malicious attacker with access to any container could exploit this flaw to access sensitive information.
Insufficient Granularity of Access Control
Python-Glance-Store Debug Log Exposes Access Key (CVE-2024-1141)
CVE-2024-1141
5.5 - Medium
- February 01, 2024
A vulnerability was found in python-glance-store. The issue occurs when the package logs the access_key for the glance-store when the DEBUG log level is enabled.
Logging of Excessive Data
RedHat python-eventlet Regression: Patch CVE-2021-21419 Missing
CVE-2023-5625
5.3 - Medium
- November 01, 2023
A regression was introduced in the Red Hat build of python-eventlet due to a change in the patch application strategy, resulting in a patch for CVE-2021-21419 not being applied for all builds of all products.
Allocation of Resources Without Limits or Throttling
OpenStack Neutron DoS via Uncontrolled Resource Consumption (Auth)
CVE-2023-3637
4.3 - Medium
- July 25, 2023
An uncontrolled resource consumption flaw was found in openstack-neutron. This flaw allows a remote authenticated user to query a list of security groups for an invalid project. This issue creates resources that are unconstrained by the user's quota. If a malicious user were to submit a significant number of requests, this could lead to a denial of service.
Resource Exhaustion
OpenStack Cinder/Nova Volume Detach Auth Bypass Conf Leak
CVE-2023-2088
6.5 - Medium
- May 12, 2023
A flaw was found in OpenStack due to an inconsistency between Cinder and Nova. This issue can be triggered intentionally or by accident. A remote, authenticated attacker could exploit this vulnerability by detaching one of their volumes from Cinder. The highest impact is to confidentiality.
Expected Behavior Violation
TripleO-Ans Local Info Disclosure via Insecure Default Permissions
CVE-2022-3146
5.5 - Medium
- March 23, 2023
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file. This issue leads to information disclosure of important configuration details from the OpenStack deployment.
Directory traversal
Local info disclosure in tripleo-ansible via insecure file perms
CVE-2022-3101
5.5 - Medium
- March 23, 2023
A flaw was found in tripleo-ansible. Due to an insecure default configuration, the permissions of a sensitive file are not sufficiently restricted. This flaw allows a local attacker to use brute force to explore the relevant directory and discover the file, leading to information disclosure of important configuration details from the OpenStack deployment.
Directory traversal
OpenStack Glance: Auth-User Can Tamper Images (CVE20224134)
CVE-2022-4134
2.8 - Low
- March 06, 2023
A flaw was found in openstack-glance. This issue could allow a remote, authenticated attacker to tamper with images, compromising the integrity of virtual machines created using these modified images.
Inclusion of Functionality from Untrusted Control Sphere
OpenStack Barbican Policy Bypass via Query String
CVE-2022-3100
5.9 - Medium
- January 18, 2023
A flaw was found in the openstack-barbican component. This issue allows an access policy bypass via a query string when accessing the API.
Authentication Bypass by Primary Weakness
OpenStack oslo.privsep PrivEsc via Overly Permissive Access
CVE-2022-38065
8.8 - High
- December 21, 2022
A privilege escalation vulnerability exists in the oslo.privsep functionality of OpenStack git master 05194e7618 and prior. Overly permissive functionality within tools leveraging this library within a container can lead increased privileges.
Improper Privilege Management
An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack
CVE-2022-1655
6.5 - Medium
- July 22, 2022
An Incorrect Permission Assignment for Critical Resource flaw was found in Horizon on Red Hat OpenStack. Horizon session cookies are created without the HttpOnly flag despite HorizonSecureCookies being set to true in the environmental files, possibly leading to a loss of confidentiality and integrity.
Incorrect Permission Assignment for Critical Resource
An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname
CVE-2021-4180
4.3 - Medium
- March 23, 2022
An information exposure flaw in openstack-tripleo-heat-templates allows an external user to discover the internal IP or hostname. An attacker could exploit this by checking the www_authenticate_uri parameter (which is visible to all end users) in configuration files. This would give sensitive information which may aid in additional system exploitation. This flaw affects openstack-tripleo-heat-templates versions prior to 11.6.1.
Exposure of Resource to Wrong Sphere
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization
CVE-2021-3656
8.8 - High
- March 04, 2022
A flaw was found in the KVM's AMD code for supporting SVM nested virtualization. The flaw occurs when processing the VMCB (virtual machine control block) provided by the L1 guest to spawn/handle a nested guest (L2). Due to improper validation of the "virt_ext" field, this issue could allow a malicious L1 to disable both VMLOAD/VMSAVE intercepts and VLS (Virtual VMLOAD/VMSAVE) for the L2 guest. As a result, the L2 guest would be allowed to read/write physical pages of the host, resulting in a crash of the entire system, leak of sensitive data or potential guest-to-host escape.
AuthZ
A flaw was found in Ansible Engine's ansible-connection module
CVE-2021-3620
5.5 - Medium
- March 03, 2022
A flaw was found in Ansible Engine's ansible-connection module, where sensitive information such as the Ansible user credentials is disclosed by default in the traceback error message. The highest threat from this vulnerability is to confidentiality.
Generation of Error Message Containing Sensitive Information
A flaw was found in the way samba implemented SMB1 authentication
CVE-2016-2124
5.9 - Medium
- February 18, 2022
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
authentification
A flaw was found in the way Samba maps domain users to local users
CVE-2020-25717
8.1 - High
- February 18, 2022
A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use this flaw to cause possible privilege escalation.
Improper Input Validation
An off-by-one error was found in the SCSI device emulation in QEMU
CVE-2021-3930
6.5 - Medium
- February 18, 2022
An off-by-one error was found in the SCSI device emulation in QEMU. It could occur while processing MODE SELECT commands in mode_sense_page() if the 'page' argument was set to MODE_PAGE_ALLS (0x3f). A malicious guest could use this flaw to potentially crash QEMU, resulting in a denial of service condition.
off-by-five
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1
CVE-2021-31918
7.5 - High
- May 06, 2021
A flaw was found in tripleo-ansible version as shipped in Red Hat Openstack 16.1. The Ansible log file is readable to all users during stack update and creation. The highest threat from this vulnerability is to data confidentiality.
Incorrect Permission Assignment for Critical Resource
A flaw was found in multiple versions of OpenvSwitch
CVE-2020-27827
7.5 - High
- March 18, 2021
A flaw was found in multiple versions of OpenvSwitch. Specially crafted LLDP packets can cause memory to be lost when allocating data to handle specific optional TLVs, potentially causing a denial of service. The highest threat from this vulnerability is to system availability.
Resource Exhaustion
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system
CVE-2020-14355
6.6 - Medium
- October 07, 2020
Multiple buffer overflow vulnerabilities were found in the QUIC image decoding process of the SPICE remote display system, before spice-0.14.2-1. Both the SPICE client (spice-gtk) and server are affected by these flaws. These flaws allow a malicious client or server to send specially crafted messages that, when processed by the QUIC image compression algorithm, result in a process crash or potential code execution.
Classic Buffer Overflow
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0
CVE-2020-14364
5 - Medium
- August 31, 2020
An out-of-bounds read/write access flaw was found in the USB emulator of the QEMU in versions before 5.2.0. This issue occurs while processing USB packets from a guest when USBDevice 'setup_len' exceeds its 'data_buf[4096]' in the do_token_in, do_token_out routines. This flaw allows a guest user to crash the QEMU process, resulting in a denial of service, or the potential execution of arbitrary code with the privileges of the QEMU process on the host.
Out-of-bounds Read
Apache HTTP Server versions 2.4.20 to 2.4.43
CVE-2020-9490
7.5 - High
- August 07, 2020
Apache HTTP Server versions 2.4.20 to 2.4.43. A specially crafted value for the 'Cache-Digest' header in a HTTP/2 request would result in a crash when the server actually tries to HTTP/2 PUSH a resource afterwards. Configuring the HTTP/2 feature via "H2Push off" will mitigate this vulnerability for unpatched servers.
HTTP Request Smuggling
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator
CVE-2020-10756
6.5 - Medium
- July 09, 2020
An out-of-bounds read vulnerability was found in the SLiRP networking implementation of the QEMU emulator. This flaw occurs in the icmp6_send_echoreply() routine while replying to an ICMP echo request, also known as ping. This flaw allows a malicious guest to leak the contents of the host memory, resulting in possible information disclosure. This flaw affects versions of libslirp before 4.3.1.
Out-of-bounds Read
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1
CVE-2019-14900
6.5 - Medium
- July 06, 2020
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
SQL Injection
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway)
CVE-2020-10753
6.5 - Medium
- June 26, 2020
A flaw was found in the Red Hat Ceph Storage RadosGW (Ceph Object Gateway). The vulnerability is related to the injection of HTTP headers via a CORS ExposeHeader tag. The newline character in the ExposeHeader tag in the CORS configuration file generates a header injection in the response when the CORS request is made. Ceph versions 3.x and 4.x are vulnerable to this issue.
Injection
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7
CVE-2020-10711
5.9 - Medium
- May 22, 2020
A NULL pointer dereference flaw was found in the Linux kernel's SELinux subsystem in versions before 5.7. This flaw occurs while importing the Commercial IP Security Option (CIPSO) protocol's category bitmap into the SELinux extensible bitmap via the' ebitmap_netlbl_import' routine. While processing the CIPSO restricted bitmap tag in the 'cipso_v4_parsetag_rbm' routine, it sets the security attribute to indicate that the category bitmap is present, even if it has not been allocated. This issue leads to a NULL pointer dereference issue while importing the same category bitmap into SELinux. This flaw allows a remote network user to crash the system kernel, resulting in a denial of service.
NULL Pointer Dereference
A flaw was found in Keycloak in versions before 10.0.0
CVE-2020-1758
5.9 - Medium
- May 15, 2020
A flaw was found in Keycloak in versions before 10.0.0, where it does not perform the TLS hostname verification while sending emails using the SMTP server. This flaw allows an attacker to perform a man-in-the-middle (MITM) attack.
Improper Certificate Validation
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules
CVE-2020-10685
5.5 - Medium
- May 11, 2020
A flaw was found in Ansible Engine affecting Ansible Engine versions 2.7.x before 2.7.17 and 2.8.x before 2.8.11 and 2.9.x before 2.9.7 as well as Ansible Tower before and including versions 3.4.5 and 3.5.5 and 3.6.3 when using modules which decrypts vault files such as assemble, script, unarchive, win_copy, aws_s3 or copy modules. The temporary directory is created in /tmp leaves the s ts unencrypted. On Operating Systems which /tmp is not a tmpfs but part of the root partition, the directory is only cleared on boot and the decryp emains when the host is switched off. The system will be vulnerable when the system is not running. So decrypted data must be cleared as soon as possible and the data which normally is encrypted ble.
Insufficient Cleanup
A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can
CVE-2020-1759
6.8 - Medium
- April 13, 2020
A vulnerability was found in Red Hat Ceph Storage 4 and Red Hat Openshift Container Storage 4.2 where, A nonce reuse vulnerability was discovered in the secure mode of the messenger v2 protocol, which can allow an attacker to forge auth tags and potentially manipulate the data by leveraging the reuse of a nonce in a session. Messages encrypted using a reused nonce value are susceptible to serious confidentiality and integrity attacks.
Reusing a Nonce, Key Pair in Encryption
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module
CVE-2019-14905
5.6 - Medium
- March 31, 2020
A vulnerability was found in Ansible Engine versions 2.9.x before 2.9.3, 2.8.x before 2.8.8, 2.7.x before 2.7.16 and earlier, where in Ansible's nxos_file_copy module can be used to copy files to a flash or bootflash on NXOS devices. Malicious code could craft the filename parameter to perform OS command injections. This could result in a loss of confidentiality of the system among other issues.
Exposure of Resource to Wrong Sphere
A flaw was found in Ansible Engine
CVE-2020-10684
7.1 - High
- March 24, 2020
A flaw was found in Ansible Engine, all versions 2.7.x, 2.8.x and 2.9.x prior to 2.7.17, 2.8.9 and 2.9.6 respectively, when using ansible_facts as a subkey of itself and promoting it to a variable when inject is enabled, overwriting the ansible_facts after the clean. An attacker could take advantage of this by altering the ansible_facts, such as ansible_hosts, users and any other key data which would lead into privilege escalation or code injection.
AuthZ
A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified
CVE-2020-1736
3.3 - Low
- March 16, 2020
A flaw was found in Ansible Engine when a file is moved using atomic_move primitive as the file mode cannot be specified. This sets the destination files world-readable if the destination file does not exist and if the file exists, the file could be changed to have less restrictive permissions before the move. This could lead to the disclosure of sensitive data. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Incorrect Permission Assignment for Critical Resource
A flaw was found in the Ansible Engine when the fetch module is used
CVE-2020-1735
4.6 - Medium
- March 16, 2020
A flaw was found in the Ansible Engine when the fetch module is used. An attacker could intercept the module, inject a new path, and then choose a new destination path on the controller node. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Directory traversal
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files
CVE-2020-1740
4.7 - Medium
- March 16, 2020
A flaw was found in Ansible Engine when using Ansible Vault for editing encrypted files. When a user executes "ansible-vault edit", another user on the same computer can read the old and new secret, as it is created in a temporary file with mkstemp and the returned file descriptor is closed and the method write_data is called to write the existing secret in the file. This method will delete the file before recreating it insecurely. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Insecure Temporary File
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified
CVE-2020-1738
3.9 - Low
- March 16, 2020
A flaw was found in Ansible Engine when the module package or service is used and the parameter 'use' is not specified. If a previous task is executed with a malicious user, the module sent can be selected by the attacker using the ansible facts file. All versions in 2.7.x, 2.8.x and 2.9.x branches are believed to be vulnerable.
Argument Injection
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Red Hat Openstack or by Red Hat? Click the Watch button to subscribe.
