Safety CI > inhumantsar/python-ansible-vault-rekey

pyup-pin-ansible-9.0.1

2 years, 5 months ago

a520bf37

Pin ansible to latest version 9.0.1

click 7.1.2 and ansible 9.0.1 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

9.0.1

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-ansible-9.0.0

2 years, 5 months ago

b8129d2f

Pin ansible to latest version 9.0.0

click 7.1.2 and ansible 9.0.0 have known security vulnerabilities.

Package	Installed	Affected	Info
click	7.1.2	<8.0.0	show Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'. https://github.com/pallets/click/issues/1752

pyup-pin-ansible-8.6.1

2 years, 5 months ago

65d1c8e3

Pin ansible to latest version 8.6.1

click 7.1.2 and ansible 8.6.1 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.6.1

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-ansible-8.6.0

2 years, 5 months ago

839f4fcf

Pin ansible to latest version 8.6.0

click 7.1.2 and ansible 8.6.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.6.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-ansible-8.5.0

2 years, 6 months ago

ed820451

Pin ansible to latest version 8.5.0

click 7.1.2 and ansible 8.5.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.5.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-ansible-8.4.0

2 years, 7 months ago

f7092d52

Pin ansible to latest version 8.4.0

click 7.1.2 and ansible 8.4.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.4.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-click-8.1.7

2 years, 8 months ago

014f6cdf

Pin click to latest version 8.1.7

ansible 2.9.27 has known security vulnerabilities.

Package	Installed	Affected	Info
ansible	2.9.27	>=2.4.0.0,<2.10.0	show Affected versions of the `ansible` package are vulnerable to Improper Output Neutralization for Logs due to insufficient sanitization of sensitive data in log outputs. The vulnerability exists in the `uri` module, where sensitive information such as keys can be inadvertently logged in both content and JSON outputs. An attacker can exploit this vulnerability by accessing the logs to obtain sensitive data, compromising the confidentiality of playbooks and potentially exposing private keys used by other users.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.
ansible	2.9.27	<12.2.0	show Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.
ansible	2.9.27	>=2.5.0a1,<7.0.0	show A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.

pyup-pin-ansible-8.3.0

2 years, 8 months ago

822b4284

Pin ansible to latest version 8.3.0

click 7.1.2 and ansible 8.3.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.3.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-click-8.1.6

2 years, 9 months ago

6bfb903b

Pin click to latest version 8.1.6

ansible 2.9.27 has known security vulnerabilities.

Package	Installed	Affected	Info
ansible	2.9.27	>=2.4.0.0,<2.10.0	show Affected versions of the `ansible` package are vulnerable to Improper Output Neutralization for Logs due to insufficient sanitization of sensitive data in log outputs. The vulnerability exists in the `uri` module, where sensitive information such as keys can be inadvertently logged in both content and JSON outputs. An attacker can exploit this vulnerability by accessing the logs to obtain sensitive data, compromising the confidentiality of playbooks and potentially exposing private keys used by other users.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.
ansible	2.9.27	<12.2.0	show Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.
ansible	2.9.27	>=2.5.0a1,<7.0.0	show A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.

pyup-pin-ansible-8.2.0

2 years, 9 months ago

d366ea4c

Pin ansible to latest version 8.2.0

click 7.1.2 and ansible 8.2.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.2.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-click-8.1.5

2 years, 9 months ago

8d581112

Pin click to latest version 8.1.5

ansible 2.9.27 has known security vulnerabilities.

Package	Installed	Affected	Info
ansible	2.9.27	>=2.4.0.0,<2.10.0	show Affected versions of the `ansible` package are vulnerable to Improper Output Neutralization for Logs due to insufficient sanitization of sensitive data in log outputs. The vulnerability exists in the `uri` module, where sensitive information such as keys can be inadvertently logged in both content and JSON outputs. An attacker can exploit this vulnerability by accessing the logs to obtain sensitive data, compromising the confidentiality of playbooks and potentially exposing private keys used by other users.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.
ansible	2.9.27	<12.2.0	show Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.
ansible	2.9.27	>=2.5.0a1,<7.0.0	show A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.

pyup-pin-click-8.1.4

2 years, 9 months ago

1f2f113c

Pin click to latest version 8.1.4

ansible 2.9.27 has known security vulnerabilities.

Package	Installed	Affected	Info
ansible	2.9.27	>=2.4.0.0,<2.10.0	show Affected versions of the `ansible` package are vulnerable to Improper Output Neutralization for Logs due to insufficient sanitization of sensitive data in log outputs. The vulnerability exists in the `uri` module, where sensitive information such as keys can be inadvertently logged in both content and JSON outputs. An attacker can exploit this vulnerability by accessing the logs to obtain sensitive data, compromising the confidentiality of playbooks and potentially exposing private keys used by other users.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as there is no namespace separation for file transfers. Files are written directly to the root bucket, making possible to have collisions when running multiple ansible processes. This issue affects mainly the service availability. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.
ansible	2.9.27	<12.2.0	show Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.
ansible	2.9.27	>=2.5.0a1,<7.0.0	show A flaw was found in Ansible in the amazon.aws collection when using the `tower_callback` parameter from the `amazon.aws.ec2_instance` module. This flaw allows an attacker to take advantage of this issue as the module is handling the parameter insecurely, leading to the password leaking in the logs.
ansible	2.9.27	<2.10.5	show A flaw was found in Ansible Base when using the aws_ssm connection plugin as garbage collector is not happening after playbook run is completed. Files would remain in the bucket exposing the data. This issue affects directly data confidentiality. This CVE affects community.aws before 1.2.1 and Ansible-build-data ships this dependency on versions before 2.10.5.

pyup-pin-ansible-8.1.0

2 years, 10 months ago

ef548d35

Pin ansible to latest version 8.1.0

click 7.1.2 and ansible 8.1.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.1.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-ansible-8.0.0

2 years, 11 months ago

3a84f6d3

Pin ansible to latest version 8.0.0

click 7.1.2 and ansible 8.0.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

8.0.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.

pyup-pin-ansible-7.6.0

2 years, 11 months ago

0aeb9d74

Pin ansible to latest version 7.6.0

click 7.1.2 and ansible 7.6.0 have known security vulnerabilities.

Package

Installed

Affected

Info

click

7.1.2

<8.0.0

show

Click 8.0.0 uses 'mkstemp()' instead of the deprecated & insecure 'mktemp()'.
https://github.com/pallets/click/issues/1752

ansible

7.6.0

<12.2.0

show

Affected versions of the Ansible package are vulnerable to Information Disclosure due to improper redaction of sensitive credential fields in verbose log output. The community.general.keycloak_user module logs the credentials[].value parameter in plaintext when Ansible is executed with high verbosity (for example, -vvv), because this field is not marked with the no_log protection that is applied to other password parameters such as auth_password.