Skip to content

Ansible exposes sensitive data in log files and on the terminal

Moderate severity GitHub Reviewed Published Oct 10, 2018 to the GitHub Advisory Database • Updated Aug 31, 2023

Package

pip ansible (pip)

Affected versions

>= 2.5.0, < 2.5.5
>= 2.4.0, < 2.4.5

Patched versions

2.5.5
2.4.5

Description

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

References

Published by the National Vulnerability Database Jul 3, 2018
Published to the GitHub Advisory Database Oct 10, 2018
Reviewed Jun 16, 2020
Last updated Aug 31, 2023

Severity

Moderate
5.9
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2018-10855

GHSA ID

GHSA-jwcc-j78w-j73w

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.