Published: 25/11/2019 Updated: 13/04/2020

CVSS v2 Base Score: 4 | Impact Score: 2.9 | Exploitability Score: 8

CVSS v3 Base Score: 6.5 | Impact Score: 3.6 | Exploitability Score: 2.8

VMScore: 356

Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N

A flaw was found in ansible 2.8.0 prior to 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

Vulnerable Product	Search on Vulmon	Subscribe to Product
redhat ansible

Debian Bug report logs - #934128 ansible: CVE-2019-10217: gcp modules do not flag sensitive data fields properly Package: src:ansible; Maintainer for src:ansible is Harlan Lieberman-Berg <hlieberman@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 7 Aug 2019 10:51:02 UTC Severity: import ...

Synopsis Moderate: Ansible security and bug fix update Type/Severity Security Advisory: Moderate Topic An update for Ansible is now available for Ansible Engine 28Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score ...

CWE-200 https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217 https://github.com/ansible/ansible/issues/56269 https://github.com/ansible/ansible/pull/59427 http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=934128 https://nvd.nist.gov

CVE-2019-10217

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect