CVE-2024-8775
Ansible-core: exposure of sensitive information in ansible vault files due to improper logging
Severity Score
5.5
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
0
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
Track
*SSVC
Descriptions
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
An update is now available for Red Hat Ansible Automation Platform 2.4. Issues addressed include cross site scripting and denial of service vulnerabilities.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:Track
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2024-09-13 CVE Reserved
- 2024-09-14 CVE Published
- 2025-01-10 CVE Updated
- 2025-01-11 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-532: Insertion of Sensitive Information into Log File
CAPEC
References (6)
| URL | Tag | Source |
|---|---|---|
| https://github.com/advisories/GHSA-jpxc-vmjf-9fcj |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/security/cve/CVE-2024-8775 | 2024-09-14 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=2312119 | 2024-09-14 | |
| https://access.redhat.com/errata/RHSA-2024:10762 | 2025-01-10 | |
| https://access.redhat.com/errata/RHSA-2024:8969 | 2025-01-10 | |
| https://access.redhat.com/errata/RHSA-2024:9894 | 2025-01-10 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Ansible Automation Platform Search vendor "Redhat" for product "Ansible Automation Platform" | * | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Ai Search vendor "Redhat" for product "Enterprise Linux Ai" | * | - |
Affected
| ||||||