GitHub Advisory DatabaseGHSA-CQMR-RCPR-CXH3Ansible password prompts could expose passwords
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
60.2%
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
Affected configurations
References
lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206
github.com/advisories/GHSA-cqmr-rcpr-cxh3
github.com/ansible/ansible/commit/4b5aed4e5af4c7aab621662f50a289e99b8ac393
github.com/ansible/ansible/commit/d39488ece44956f6a169a498b067bbef54552be1
github.com/ansible/ansible/commit/d728127310b4f3a40ce8b9df3affb88ffaeea073
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-145.yaml
lists.debian.org/debian-lts-announce/2023/12/msg00018.html
nvd.nist.gov/vuln/detail/CVE-2019-10206
www.debian.org/security/2021/dsa-4950
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
60.2%