{"containers": {"cna": {"affected": [{"product": "Ansible", "vendor": "Red Hat", "versions": [{"status": "affected", "version": "ansible 2.8.0 before 2.8.4"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks."}], "metrics": [{"cvssV3_0": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "description": "CWE-200", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-16T08:06:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible/issues/56269"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible/pull/59427"}, {"name": "openSUSE-SU-2020:0513", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "tags": ["vendor-advisory", "x_refsource_SUSE"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert@redhat.com", "ID": "CVE-2019-10217", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Ansible", "version": {"version_data": [{"version_value": "ansible 2.8.0 before 2.8.4"}]}}]}, "vendor_name": "Red Hat"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks."}]}, "impact": {"cvss": [[{"vectorString": "5.7/CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}]]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-200"}]}]}, "references": {"reference_data": [{"name": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217", "refsource": "CONFIRM", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217"}, {"name": "https://github.com/ansible/ansible/issues/56269", "refsource": "CONFIRM", "url": "https://github.com/ansible/ansible/issues/56269"}, {"name": "https://github.com/ansible/ansible/pull/59427", "refsource": "CONFIRM", "url": "https://github.com/ansible/ansible/pull/59427"}, {"name": "openSUSE-SU-2020:0513", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "refsource": "SUSE", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T22:17:18.921Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible/issues/56269"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible/pull/59427"}, {"name": "openSUSE-SU-2020:0513", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"name": "openSUSE-SU-2020:0523", "tags": ["vendor-advisory", "x_refsource_SUSE", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2019-10217", "datePublished": "2019-11-25T15:06:19", "dateReserved": "2019-03-27T00:00:00", "dateUpdated": "2024-08-04T22:17:18.921Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "313A09AC-5BD9-4660-8D33-56A5E0CC239F", "versionEndExcluding": "2.8.4", "versionStartIncluding": "2.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en ansible versiones 2.8.0 anteriores a 2.8.4. Los campos que administran datos confidenciales deben ser establecidos como tales por la funcionalidad no_log. Algunos de estos campos en los m\u00f3dulos GCP no est\u00e1n configurados apropiadamente. La funci\u00f3n service_account_contents(), que es una clase com\u00fan para todos los m\u00f3dulos gcp, no establece no_log en True. Cualquier dato confidencial administrado por esa funci\u00f3n se filtrar\u00eda como salida al ejecutar playbooks de ansible."}], "id": "CVE-2019-10217", "lastModified": "2024-11-21T04:18:40.660", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.0"}, "exploitabilityScore": 2.1, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-11-25T16:15:13.347", "references": [{"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"source": "secalert@redhat.com", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/issues/56269"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/ansible/pull/59427"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/issues/56269"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://github.com/ansible/ansible/pull/59427"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-200"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "This issue was discovered by Abhijeet Kasurde (Red Hat).", "affected_release": [{"advisory": "RHSA-2019:2542", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7", "package": "ansible-0:2.8.4-1.el7ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date": "2019-08-21T00:00:00Z"}, {"advisory": "RHSA-2019:2542", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8", "package": "ansible-0:2.8.4-1.el8ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date": "2019-08-21T00:00:00Z"}, {"advisory": "RHSA-2019:2543", "cpe": "cpe:/a:redhat:ansible_engine:2::el7", "package": "ansible-0:2.8.4-1.el7ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 7", "release_date": "2019-08-21T00:00:00Z"}, {"advisory": "RHSA-2019:2543", "cpe": "cpe:/a:redhat:ansible_engine:2::el8", "package": "ansible-0:2.8.4-1.el8ae", "product_name": "Red Hat Ansible Engine 2 for RHEL 8", "release_date": "2019-08-21T00:00:00Z"}], "bugzilla": {"description": "Ansible: gcp modules do not flag sensitive data fields properly", "id": "1733509", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1733509"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.7", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.", "A flaw was found in the gcp module of ansible. Certain fields managing sensitive data should be marked by the no_log feature. The service_account_contents(), which is common class for all gcp modules, is not being set as no_log to True. Any sensitive data managed by that function would be leaked as an output when running ansible playbooks. Data confidentiality is the highest threat with this vulnerability."], "name": "CVE-2019-10217", "package_state": [{"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:openstack:14", "fix_state": "Not affected", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 14 (Rocky)"}], "public_date": "2019-07-26T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-10217\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10217"], "statement": "Ansible shipped with Red Hat Ceph Storage 3; Red Hat OpenStack 10, 13, and 14; and Ansible Engine 2.6 and 2.7 are not vulnerable as they do not include the cred_type implementation (service_account_contents).", "threat_severity": "Moderate"}

{}