Vulnerability Description
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Redhat | Ansible | >= 2.8.0, < 2.8.4 |
Related Weaknesses (CWE)
References
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217Issue TrackingThird Party Advisory
- https://github.com/ansible/ansible/issues/56269ExploitThird Party Advisory
- https://github.com/ansible/ansible/pull/59427Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217Issue TrackingThird Party Advisory
- https://github.com/ansible/ansible/issues/56269ExploitThird Party Advisory
- https://github.com/ansible/ansible/pull/59427Third Party Advisory
FAQ
What is CVE-2019-10217?
CVE-2019-10217 is a vulnerability with a CVSS score of 6.5 (MEDIUM). A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_conten...
How severe is CVE-2019-10217?
CVE-2019-10217 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2019-10217?
Check the references section above for vendor advisories and patch information. Affected products include: Redhat Ansible.