Main Vulnerability Database Vulnerabilities #VU30585

#VU30585 Input validation error in Ansible - CVE-2019-10206

Published: November 22, 2019 / Updated: July 17, 2020

Vulnerability identifier: #VU30585

Vulnerability risk: Medium

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10206

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Ansible

Software vendor:
Red Hat Inc.

Description

The vulnerability allows a remote authenticated user to gain access to sensitive information.

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

Remediation

Install update from vendor's website.

External links

http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206