CVE-2018-12557 - OpenCVE

An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets.

No CVSS v4.0

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

AV:N/AC:L/Au:N/C:P/I:N/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Zuul-ci	Zuul

Configuration 1 [-]

cpe:2.3:a:zuul-ci:zuul:*:*:*:*:*:*:*:*

No data.

References

Link	Providers
http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html
https://git.zuul-ci.org/cgit/zuul/commit/?id=ffe7278c08e6e36bf8b18f732c764e00ff51551e
https://storyboard.openstack.org/#%21/story/2002177

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2018-06-19T05:00:00

Updated: 2024-08-05T08:38:06.429Z

Reserved: 2018-06-18T00:00:00

Link: CVE-2018-12557

Vulnrichment

No data.

NVD

Status : Modified

Published: 2018-06-19T05:29:00.230

Modified: 2023-11-07T02:52:21.480

Link: CVE-2018-12557

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2018-06-19T00:00:00", "descriptions": [{"lang": "en", "value": "An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-06-19T05:57:01", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html"}, {"tags": ["x_refsource_MISC"], "url": "https://storyboard.openstack.org/#%21/story/2002177"}, {"tags": ["x_refsource_MISC"], "url": "https://git.zuul-ci.org/cgit/zuul/commit/?id=ffe7278c08e6e36bf8b18f732c764e00ff51551e"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cve@mitre.org", "ID": "CVE-2018-12557", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html", "refsource": "MISC", "url": "http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html"}, {"name": "https://storyboard.openstack.org/#!/story/2002177", "refsource": "MISC", "url": "https://storyboard.openstack.org/#!/story/2002177"}, {"name": "https://git.zuul-ci.org/cgit/zuul/commit/?id=ffe7278c08e6e36bf8b18f732c764e00ff51551e", "refsource": "MISC", "url": "https://git.zuul-ci.org/cgit/zuul/commit/?id=ffe7278c08e6e36bf8b18f732c764e00ff51551e"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T08:38:06.429Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://storyboard.openstack.org/#%21/story/2002177"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://git.zuul-ci.org/cgit/zuul/commit/?id=ffe7278c08e6e36bf8b18f732c764e00ff51551e"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2018-12557", "datePublished": "2018-06-19T05:00:00", "dateReserved": "2018-06-18T00:00:00", "dateUpdated": "2024-08-05T08:38:06.429Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zuul-ci:zuul:*:*:*:*:*:*:*:*", "matchCriteriaId": "E1E9F5F8-E060-41F1-9C62-7065C6D55384", "versionEndExcluding": "3.1.0", "versionStartIncluding": "3.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Zuul 3.x before 3.1.0. If nodes become offline during the build, the no_log attribute of a task is ignored. If the unreachable error occurred in a task used with a loop variable (e.g., with_items), the contents of the loop items would be printed in the console. This could lead to accidentally leaking credentials or secrets."}, {"lang": "es", "value": "Se ha descubierto un problema en Zuul, en versiones 3.x anteriores a la 3.1.0. Si los nodos se vuelven offline durante la build, se ignora el atributo no_log de una tarea. Si el error no alcanzable ocurre en una tarea empleada con una variable en bucle (p.ej., with_items), el contenido de los items en bucle se imprimir\u00eda en la consola. Esto podr\u00eda conducir al filtrado accidental de credenciales o secretos."}], "id": "CVE-2018-12557", "lastModified": "2023-11-07T02:52:21.480", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2018-06-19T05:29:00.230", "references": [{"source": "cve@mitre.org", "tags": ["Mailing List", "Vendor Advisory"], "url": "http://lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.html"}, {"source": "cve@mitre.org", "tags": ["Patch", "Vendor Advisory"], "url": "https://git.zuul-ci.org/cgit/zuul/commit/?id=ffe7278c08e6e36bf8b18f732c764e00ff51551e"}, {"source": "cve@mitre.org", "url": "https://storyboard.openstack.org/#%21/story/2002177"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}