CVE-2019-10217
Ansible: gcp modules do not flag sensitive data fields properly
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
Se encontró un fallo en ansible versiones 2.8.0 anteriores a 2.8.4. Los campos que administran datos confidenciales deben ser establecidos como tales por la funcionalidad no_log. Algunos de estos campos en los módulos GCP no están configurados apropiadamente. La función service_account_contents(), que es una clase común para todos los módulos gcp, no establece no_log en True. Cualquier dato confidencial administrado por esa función se filtraría como salida al ejecutar playbooks de ansible.
A flaw was found in the gcp module of ansible. Certain fields managing sensitive data should be marked by the no_log feature. The service_account_contents(), which is common class for all gcp modules, is not being set as no_log to True. Any sensitive data managed by that function would be leaked as an output when running ansible playbooks. Data confidentiality is the highest threat with this vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-27 CVE Reserved
- 2019-08-21 CVE Published
- 2023-03-30 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CAPEC
References (7)
URL | Tag | Source |
---|---|---|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217 | Issue Tracking | |
https://github.com/ansible/ansible/pull/59427 | Third Party Advisory |
URL | Date | SRC |
---|---|---|
https://github.com/ansible/ansible/issues/56269 | 2024-08-04 |
URL | Date | SRC |
---|
Affected Vendors, Products, and Versions
Vendor | Product | Version | Other | Status | ||||||
---|---|---|---|---|---|---|---|---|---|---|
Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
Redhat Search vendor "Redhat" | Ansible Search vendor "Redhat" for product "Ansible" | >= 2.8.0 < 2.8.4 Search vendor "Redhat" for product "Ansible" and version " >= 2.8.0 < 2.8.4" | - |
Affected
|