#VU13542 Information disclosure in Ansible


Published: 2018-07-02

Vulnerability identifier: #VU13542

Vulnerability risk: Low

CVSSv3.1: 5.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2018-10855

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description

The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to improper honor of the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Mitigation
The vulnerability is addressed in the versions 2.4.5, 2.5.5.

Vulnerable software versions

Ansible: 2.4.0 - 2.4.4, 2.5.0 - 2.5.4

External links
http://access.redhat.com/security/cve/cve-2018-10855

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


OpenSUSE Linux update for ansible
Red Hat update for ansible
Information disclosure in ansible (Alpine package)
Information disclosure in Red Hat CloudForms
Information disclosure in Red Hat Virtualization
Information disclosure in Red Hat Virtualization
Red Hat update for ansible
Red Hat Ansible Engine 2.5 for RHEL 7 update for ansible