CVE-2024-8775Log File Information Exposure in Redhat Ansible

CWE-532Log File Information Exposure8 documents7 sources
Severity
5.5MEDIUMNVD
EPSS
0.0%
top 88.29%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Redhat Ansible
Timeline
PublishedSep 14
Latest updateSep 16

Description

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages1 packages

Debianredhat/ansible< 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2+3

🔴Vulnerability Details

4
GHSA
Ansible vulnerable to Insertion of Sensitive Information into Log File2024-09-16
OSV
Ansible vulnerable to Insertion of Sensitive Information into Log File2024-09-16
CVEList
Ansible-core: exposure of sensitive information in ansible vault files due to improper logging2024-09-14
OSV
CVE-2024-8775: A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook2024-09-14

📋Vendor Advisories

3
Red Hat
ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging2024-09-13
Microsoft
Ansible-core: exposure of sensitive information in ansible vault files due to improper logging2024-09-10
Debian
CVE-2024-8775: ansible - A flaw was found in Ansible, where sensitive information stored in Ansible Vault...2024