CVE-2024-8775 Ansible-core: exposure of sensitive information in ansible vault files due to improper logging

2024-09-1402:15:14

CWE-532

redhat

www.cve.org

cve-2024-8775

ansible

sensitive information

ansible vault

plaintext

playbook

include_vars

no_log parameter

unintentional disclosure

passwords

api keys

security

unauthorized access

actions

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

Percentile

9.6%

JSON

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

CNA Affected

[
  {
    "vendor": "Red Hat",
    "product": "Red Hat Ansible Automation Platform 2",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "ansible-core",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:ansible_automation_platform:2"
    ]
  },
  {
    "vendor": "Red Hat",
    "product": "Red Hat Enterprise Linux AI (RHEL AI)",
    "collectionURL": "https://access.redhat.com/downloads/content/package-browser/",
    "packageName": "rhelai1/bootc-nvidia-rhel9",
    "defaultStatus": "affected",
    "cpes": [
      "cpe:/a:redhat:enterprise_linux_ai:1"
    ]
  }
]