Ansible tower

This hub aggregates every CVE we track for Ansible tower, a product in the devtools ci space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Ansible tower.

• CVE-2024-11236Integer overflow in the firebird and dblib quoters causing OOB writes9.8Nov 24, 2024
• CVE-2021-4112A flaw was found in ansible-tower where the default installation is vulnerable to job isolation escape. This flaw allows an attacker to elevate the privilege from a low privileged user to an AWX us...8.8Aug 25, 2022
• CVE-2021-43818HTML Cleaner allows crafted and SVG embedded scripts to pass through8.2Dec 13, 2021
• CVE-2021-3583A flaw was found in Ansible, where a user's controller is vulnerable to template injection. This issue can occur through facts used in the template if the user is trying to put templates in multi-l...7.1Sep 22, 2021
• CVE-2021-23017A security issue in nginx resolver was identified, which might allow an attacker who is able to forge UDP packets from the DNS server to cause 1-byte memory overwrite, resulting in worker process c...7.7Jun 1, 2021
• CVE-2020-14329A data exposure flaw was found in Ansible Tower in versions before 3.7.2, where sensitive data can be exposed from the /api/v2/labels/ endpoint. This flaw allows users from other organizations in t...3.3May 27, 2021
• CVE-2020-14328A flaw was found in Ansible Tower in versions before 3.7.2. A Server Side Request Forgery flaw can be abused by supplying a URL which could lead to the server processing it connecting to internal s...3.3May 27, 2021
• CVE-2020-14327A Server-side request forgery (SSRF) flaw was found in Ansible Tower in versions before 3.6.5 and before 3.7.2. Functionality on the Tower server is abused by supplying a URL that could lead to the...5.5May 27, 2021
• CVE-2020-10709A security flaw was found in Ansible Tower when requesting an OAuth2 token with an OAuth2 application. Ansible Tower uses the token to provide authentication. This flaw allows an attacker to obtain...7.1May 27, 2021
• CVE-2020-10698A flaw was found in Ansible Tower when running jobs. This flaw allows an attacker to access the stdout of the executed jobs which are run from other organizations. Some sensible data can be disclos...3.3May 27, 2021
• CVE-2020-10697A flaw was found in Ansible Tower when running Openshift. Tower runs a memcached, which is accessed via TCP. An attacker can take advantage of writing a playbook polluting this cache, causing a den...4.4May 27, 2021
• CVE-2021-20191A flaw was found in ansible. Credentials, such as secrets, are being disclosed in console log by default and not protected by no_log feature when using those modules. An attacker can take advantage...5.5May 26, 2021
• CVE-2021-20178A flaw was found in ansible module where credentials are disclosed in the console log by default and not protected by the security feature when using the bitbucket_pipeline_variable module. This fl...5.5May 26, 2021
• CVE-2021-20228A flaw was found in the Ansible Engine 2.9.18, where sensitive info is not masked by default and is not protected by the no_log feature when using the sub-option feature of the basic.py module. Thi...7.5Apr 29, 2021
• CVE-2021-3447A flaw was found in several ansible modules, where parameters containing credentials, such as secrets, were being logged in plain-text on managed nodes, as well as being made visible on the control...5.5Apr 1, 2021