Main Vulnerability Database Vulnerabilities #VU13542

#VU13542 Information disclosure in Ansible - CVE-2018-10855

Published: July 2, 2018

Vulnerability identifier: #VU13542

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-10855

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ansible

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper honor of the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Remediation

The vulnerability is addressed in the versions 2.4.5, 2.5.5.

External links

https://access.redhat.com/security/cve/cve-2018-10855

#VU13542 Information disclosure in Ansible - CVE-2018-10855

Description

Remediation

External links

Please verify you're human