GitHub Advisory DatabaseGHSA-6FQ2-X65V-V9H7Ansible password prompts could expose passwords
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
60.2%
A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.
This CVE exists due to an incomplete fix for CVE-2019-10206.
Affected configurations
References
lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
access.redhat.com/errata/RHSA-2020:0756
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14856
github.com/advisories/GHSA-6fq2-x65v-v9h7
github.com/ansible/ansible/commit/7f4befdea77045fa83b5f2b304bd5e16b219f74c
github.com/ansible/ansible/pull/63351
nvd.nist.gov/vuln/detail/CVE-2019-14856
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
0.002 Low
EPSS
Percentile
60.2%