Lucene search

RedhatVULNRICHMENT:CVE-2024-8775

HistorySep 14, 2024 - 2:15 a.m.

CVE-2024-8775 Ansible-core: exposure of sensitive information in ansible vault files due to improper logging

2024-09-1402:15:14

CWE-532

redhat

github.com

cve-2024-8775

ansible

sensitive information

ansible vault

plaintext exposure

playbook execution

include_vars

no_log parameter

unintentional disclosure

passwords

api keys

security compromise

unauthorized access

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

References

access.redhat.com/security/cve/CVE-2024-8775

bugzilla.redhat.com/show_bug.cgi?id=2312119

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.3

Confidence

High

SSVC

Exploitation

none

Automatable

Technical Impact

partial

JSON

Related for VULNRICHMENT:CVE-2024-8775