CVE-2018-10855 — MEDIUM (5.9)

Q: How severe is CVE-2018-10855?

CVE-2018-10855 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2018-10855?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Cloudforms, Redhat Openstack, Redhat Virtualization, Debian Debian Linux.

Vulnerability Description

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

CVSS Score

5.9

MEDIUM

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Affected Products

Vendor	Product	Versions
Redhat	Ansible Engine	>= 2.4, < 2.4.5
Redhat	Cloudforms	4.6
Redhat	Openstack	13
Redhat	Virtualization	4.0
Debian	Debian Linux	9.0
Canonical	Ubuntu Linux	16.04

Related Weaknesses (CWE)

CWE-532

References

https://access.redhat.com/errata/RHBA-2018:3788Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1948Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1949Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2022Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2079Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2184Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2585Vendor Advisory
https://access.redhat.com/errata/RHSA-2019:0054Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855Issue TrackingVendor Advisory
https://usn.ubuntu.com/4072-1/Third Party Advisory
https://www.debian.org/security/2019/dsa-4396Third Party Advisory
https://access.redhat.com/errata/RHBA-2018:3788Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1948Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:1949Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:2022Vendor Advisory

FAQ

What is CVE-2018-10855?

CVE-2018-10855 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged,...

How severe is CVE-2018-10855?

CVE-2018-10855 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2018-10855?

Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible Engine, Redhat Cloudforms, Redhat Openstack, Redhat Virtualization, Debian Debian Linux.