Skip to content

Exposure of Sensitive Information to an Unauthorized Actor in ansible

Moderate severity GitHub Reviewed Published Oct 12, 2021 to the GitHub Advisory Database • Updated Feb 1, 2023

Package

pip ansible (pip)

Affected versions

>= 2.8.0, < 2.8.4

Patched versions

2.8.4

Description

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

References

Published by the National Vulnerability Database Nov 25, 2019
Reviewed Oct 8, 2021
Published to the GitHub Advisory Database Oct 12, 2021
Last updated Feb 1, 2023

Severity

Moderate
6.5
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CVE ID

CVE-2019-10217

GHSA ID

GHSA-p75j-wc34-527c

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.