Описание
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
A flaw was found in ansible. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
Отчет
Fixes for Red Hat OpenStack Platform (RHOSP) have been set to 'Moderate' because flaw exploitation requires running Ansible with increased verbosity which is not the RHOSP deployment default. Red Hat Gluster Storage no longer maintains its own version of Ansible. The fix will be provided from core Ansible.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| CloudForms Management Engine 5 | ansible | Not affected | ||
| Red Hat Ansible Tower 3 | ansible | Affected | ||
| Red Hat Ceph Storage 2 | ansible | Out of support scope | ||
| Red Hat Ceph Storage 3 | ansible | Affected | ||
| Red Hat OpenStack Platform 10 (Newton) | ansible | Will not fix | ||
| Red Hat OpenStack Platform 14 (Rocky) | ansible | Out of support scope | ||
| Red Hat Satellite 6 | ansible | Out of support scope | ||
| Red Hat Storage 3 | ansible | Will not fix | ||
| Red Hat Ansible Engine 2.6 for RHEL 7 | ansible | Fixed | RHSA-2019:3201 | 24.10.2019 |
| Red Hat Ansible Engine 2.7 for RHEL 7 | ansible | Fixed | RHSA-2019:3202 | 24.10.2019 |
Показывать по
Дополнительная информация
Статус:
EPSS
5 Medium
CVSS3
Связанные уязвимости
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible tower 3.x up to 3.5. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter name to the module will cause the task to fail before the no_log options in the sub parameters are processed. As a result, data in the sub parameter fields will not be masked and will be displayed if Ansible is run with increased verbosity and present in the module invocation arguments for the task.
A vulnerability was found in Ansible engine 2.x up to 2.8 and Ansible ...
Ansible leaks sensitive information to logs when told not to
Уязвимость системы управления конфигурациями Ansible, связанная с неправильной обработкой выходных данных для журналов регистрации, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
5 Medium
CVSS3