Main Vulnerability Database Vulnerabilities #VU13542

Information disclosure in Ansible - CVE-2018-10855

Published: July 2, 2018

Vulnerability identifier: #VU13542

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2018-10855

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Red Hat Inc.

Affected software:
Ansible

Detailed vulnerability description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.

The weakness exists due to improper honor of the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

How to mitigate CVE-2018-10855

The vulnerability is addressed in the versions 2.4.5, 2.5.5.

Sources

https://access.redhat.com/security/cve/cve-2018-10855

Information disclosure in Ansible - CVE-2018-10855

Detailed vulnerability description

How to mitigate CVE-2018-10855

Sources

Please verify you're human