Description ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N Exploitability: 2.8 | Impact: 3.6 Attack Vector: Network
Complexity: Low
Privileges: Low
User Interaction: None
Scope: Unchanged
Confidentiality: High
Integrity: None
Availability: None
Affected Packages6 packages ▶ CVEListV5 red_hat/ansible all 2.6.x before 2.6.19, all 2.7.x before 2.7.13, all 2.8.x before 2.8.4 +2 Show 1 more packages Also affects: Debian Linux 10.0
🔴 Vulnerability Details5 GHSA Ansible password prompts could expose passwords ↗ 2022-05-24 ▶ OSV Ansible password prompts could expose passwords ↗ 2022-05-24 ▶ GHSA Ansible password prompts could expose passwords ↗ 2022-05-24 ▶ OSV CVE-2019-10206: ansible-playbook -k and ansible cli tools, all versions 2 ↗ 2019-11-22 ▶ CVEList CVE-2019-10206: ansible-playbook -k and ansible cli tools, all versions 2 ↗ 2019-11-22 ▶
📋 Vendor Advisories4 Ubuntu Ansible vulnerabilities ↗ 2025-03-05 ▶ Red Hat ansible: Incomplete fix for CVE-2019-10206 ↗ 2019-10-08 ▶ Red Hat Ansible: disclosure data when prompted for password and template characters are passed ↗ 2019-07-24 ▶ Debian CVE-2019-10206: ansible - ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all ... ↗ 2019 ▶
💬 Community6 Bugzilla CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206 [epel-7] ↗ 2019-11-22 ▶ Bugzilla CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206 [openstack-rdo] ↗ 2019-11-22 ▶ Bugzilla CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206 [epel-6] ↗ 2019-11-22 ▶ Bugzilla CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206 [fedora-all] ↗ 2019-11-22 ▶ Bugzilla CVE-2019-14856 ansible: Incomplete fix for CVE-2019-10206 ↗ 2019-10-11 ▶ Show 1 more