Ansible-vault.0.3.0 Vulnerability

Hi All,

Recently, we did a project and has installed ansible package inside our project. During VAPT scanning, it flagged out has vulnerability due to the ansible-vault.nuspec.

Please check the screenshot for reference

C:\Users\10126226\Desktop\JTC\VAPT_Python_Scan\ansible-4.10.0.tar.gz\ansible-4.10.0.tar\ansible-4.10.0\ansible_collections\community\windows\tests\integration\targets\win_psmodule_info\files
ansiblevault.0.3.0.nupkg

Thanks.

  1. This problem doesn’t have anything to do with Ansible Vault directly, but with a binary file AnsibleVault.nuget that’s part of the integration tests of the community.windows collection (community.windows/tests/integration/targets/win_psmodule_info/files/ansiblevault.0.3.0.nupkg at main · ansible-collections/community.windows · GitHub). This is nothing that regular users of Ansible ever encounter.
  2. The file is not part of the Ansible (community package) installation, only of the source distribution. Once you install Ansible, that file won’t end up on your disk.

So in any case, this is not a vulnerability affecting anyone except potentially the integration tests of one of the collections included in Ansible (and even there, it’s only used to test a module, and not used itself to run something, so the vulnerability in that program isn’t a problem for the tests as far as I can see).

I’ll create an issue in the collection so the collection maintainers can update or replace the program.

1 Like

Issue: Security scanners flag tests/integration/targets/win_psmodule_info/files/ansiblevault.0.3.0.nupkg · Issue #549 · ansible-collections/community.windows · GitHub