Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2019-10217

Опубликовано: 26 июл. 2019
Источник: redhat
CVSS3: 5.7
EPSS Низкий

Описание

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

A flaw was found in the gcp module of ansible. Certain fields managing sensitive data should be marked by the no_log feature. The service_account_contents(), which is common class for all gcp modules, is not being set as no_log to True. Any sensitive data managed by that function would be leaked as an output when running ansible playbooks. Data confidentiality is the highest threat with this vulnerability.

Отчет

Ansible shipped with Red Hat Ceph Storage 3; Red Hat OpenStack 10, 13, and 14; and Ansible Engine 2.6 and 2.7 are not vulnerable as they do not include the cred_type implementation (service_account_contents).

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Ceph Storage 2ansibleNot affected
Red Hat Ceph Storage 3ansibleNot affected
Red Hat OpenStack Platform 10 (Newton)ansibleNot affected
Red Hat OpenStack Platform 13 (Queens)ansibleNot affected
Red Hat OpenStack Platform 14 (Rocky)ansibleNot affected
Red Hat Ansible Engine 2.8 for RHEL 7ansibleFixedRHSA-2019:254221.08.2019
Red Hat Ansible Engine 2.8 for RHEL 8ansibleFixedRHSA-2019:254221.08.2019
Red Hat Ansible Engine 2 for RHEL 7ansibleFixedRHSA-2019:254321.08.2019
Red Hat Ansible Engine 2 for RHEL 8ansibleFixedRHSA-2019:254321.08.2019

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-200
https://bugzilla.redhat.com/show_bug.cgi?id=1733509Ansible: gcp modules do not flag sensitive data fields properly

EPSS

Процентиль: 63%
0.00449
Низкий

5.7 Medium

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2019-10217

CVSS3: 6.5
ubuntu
около 6 лет назад

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

nvd логотип

CVE-2019-10217

CVSS3: 6.5
nvd
около 6 лет назад

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

debian логотип

CVE-2019-10217

CVSS3: 6.5
debian
около 6 лет назад

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensit ...

github логотип

GHSA-p75j-wc34-527c

CVSS3: 6.5
github
больше 4 лет назад

Exposure of Sensitive Information to an Unauthorized Actor in ansible

suse-cvrf логотип

openSUSE-SU-2020:0513-1

suse-cvrf
почти 6 лет назад

Security update for ansible

EPSS

Процентиль: 63%
0.00449
Низкий

5.7 Medium

CVSS3