Lucene search

RedhatCVE-2020-14330

HistorySep 11, 2020 - 6:15 p.m.

CVE-2020-14330

2020-09-1118:15:13

CWE-532

redhat

web.nvd.nist.gov

127

cve-2020-14330

ansible

uri module

data confidentiality

security vulnerability

nvd

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

EPSS

0.001

Percentile

26.2%

JSON

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Affected configurations

Nvd

Vulners

Node

redhatansible_engineRange<2.9.12

Node

debiandebian_linuxMatch10.0

VendorProductVersionCPE
redhatansible_engine*cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
debiandebian_linux10.0cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
redhat	ansible_engine	*	cpe:2.3:a:redhat:ansible_engine::::::::
debian	debian_linux	10.0	cpe:2.3:o:debian:debian_linux:10.0:::::::*

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Ansible",
    "versions": [
      {
        "version": "2.10.0",
        "status": "affected"
      }
    ]
  }
]