QwikSec

Security Database

CVE

CWE

Training

CVE-2019-10217

Published: Nov 25, 2019

Modified: Aug 4, 2024

PUBLISHED

CVSS v3.0

5.7

MEDIUM

Description

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

Vendor	Product	Versions
Red Hat	Ansible	affected `ansible 2.8.0 before 2.8.4`

Weaknesses (CWE)

CVSS v3.0 Details

CVSS v3.0 Vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217

x_refsource_CONFIRM

https://github.com/ansible/ansible/issues/56269

x_refsource_CONFIRM

https://github.com/ansible/ansible/pull/59427

x_refsource_CONFIRM

openSUSE-SU-2020:0513

vendor-advisory

x_refsource_SUSE

openSUSE-SU-2020:0523

vendor-advisory

x_refsource_SUSE

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.