Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1qcHhjLXZtamYtOWZjas4AA_i3

Ansible vulnerable to Insertion of Sensitive Information into Log File

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

Permalink: https://github.com/advisories/GHSA-jpxc-vmjf-9fcj
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcHhjLXZtamYtOWZjas4AA_i3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: 2 months ago
Updated: 1 day ago

CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Identifiers: GHSA-jpxc-vmjf-9fcj, CVE-2024-8775
References:

• https://nvd.nist.gov/vuln/detail/CVE-2024-8775
• https://access.redhat.com/security/cve/CVE-2024-8775
• https://bugzilla.redhat.com/show_bug.cgi?id=2312119
• https://access.redhat.com/errata/RHSA-2024:8969
• https://access.redhat.com/errata/RHSA-2024:9894
• https://github.com/advisories/GHSA-jpxc-vmjf-9fcj

Blast Radius: 18.3

Affected Packages