Multiple vulnerabilities in Ansible

1) Information disclosure

EUVDB-ID: #VU30582

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-10217

CWE-ID: CWE-200 - Exposure of sensitive information to an unauthorized actor

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ansible: 2.8.0 - 2.8.3

CPE2.3

• cpe:2.3:a:red_hat:ansible:2.8.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0a1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0b1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0:rc2:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0:rc3:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.2:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.3:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
https://github.com/ansible/ansible/issues/56269
https://github.com/ansible/ansible/pull/59427

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Input validation error

EUVDB-ID: #VU30585

Risk: Medium

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-10206

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

Mitigation

Install update from vendor's website.

Vulnerable software versions

Ansible: 2.8.0 - 2.8.3

CPE2.3

• cpe:2.3:a:red_hat:ansible:2.8.0:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0a1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0b1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0:rc1:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0:rc2:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.0:rc3:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.1:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.2:*:*:*:*:*:*:*
• cpe:2.3:a:red_hat:ansible:2.8.3:*:*:*:*:*:*:*

External links

https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
https://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected application in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.