SB2019082124 - Ansible Engine 2.8 update for Ansible 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2019082124

SB2019082124 - Ansible Engine 2.8 update for Ansible

Published: August 21, 2019

Security Bulletin ID SB2019082124
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Information disclosure

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2019-10206)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.


2) Information disclosure (CVE-ID: CVE-2019-10217)

The vulnerability allows a remote authenticated user to gain access to sensitive information.

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.


Remediation

Install update from vendor's website.

References