Lucene search

GitHub Advisory DatabaseGHSA-4R65-35QQ-CH8J

HistoryMar 04, 2022 - 12:00 a.m.

Ansible discloses sensitive information in traceback error message

2022-03-0400:00:17

CWE-209

GitHub Advisory Database

github.com

ansible

it automation

configuration management

application deployment

cloud provisioning

network automation

information disclosure

user credentials

traceback error

vulnerability

confidentiality

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine’s ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from set_options. The highest threat from this vulnerability is confidentiality.

Affected configurations

Vulners

Node

ansibleansibleRange<2.9.27

VendorProductVersionCPE
ansibleansible*cpe:2.3:a:ansible:ansible:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ansible	ansible	*	cpe:2.3:a:ansible:ansible::::::::

References

access.redhat.com/errata/RHSA-2021:3871

access.redhat.com/errata/RHSA-2021:3872

access.redhat.com/errata/RHSA-2021:3874

access.redhat.com/errata/RHSA-2021:4703

access.redhat.com/errata/RHSA-2021:4750

access.redhat.com/security/cve/CVE-2021-3620

bugzilla.redhat.com/show_bug.cgi?id=1975767

github.com/advisories/GHSA-4r65-35qq-ch8j

github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes

github.com/ansible/ansible/commit/fe28767970c8ec62aabe493c46b53a5de1e5fac0

github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2022-164.yaml

lists.debian.org/debian-lts-announce/2023/12/msg00018.html

nvd.nist.gov/vuln/detail/CVE-2021-3620

CVSS2

2.1

Attack Vector

LOCAL

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:N/A:N

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

15.5%

JSON

Related for GHSA-4R65-35QQ-CH8J