{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-14330", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-04T12:39:36.412Z", "dateReserved": "2020-06-17T00:00:00", "datePublished": "2020-09-11T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality."}], "affected": [{"vendor": "Red Hat", "product": "Ansible", "versions": [{"version": "2.10.0", "status": "affected"}]}], "references": [{"url": "https://github.com/ansible/ansible/issues/68400"}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330"}, {"name": "DSA-4950", "tags": ["vendor-advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-532", "cweId": "CWE-532"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T12:39:36.412Z"}, "title": "CVE Program Container", "references": [{"url": "https://github.com/ansible/ansible/issues/68400", "tags": ["x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330", "tags": ["x_transferred"]}, {"name": "DSA-4950", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.debian.org/security/2021/dsa-4950"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "matchCriteriaId": "4AA51D54-94D6-4A3C-AD5B-190C68C5C5AE", "versionEndExcluding": "2.9.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo de Neutralizaci\u00f3n de Salida Inapropiada para Registros en Ansible al usar el m\u00f3dulo uri, donde los datos confidenciales est\u00e1n expuestos en contenido y salida json. Este fallo permite a un atacante acceder a los registros o salidas de las tareas realizadas para leer las claves usadas en los libros de jugadas de otros usuarios dentro del m\u00f3dulo uri. La mayor amenaza de esta vulnerabilidad es la confidencialidad de los datos"}], "id": "CVE-2020-14330", "lastModified": "2023-11-07T03:17:08.880", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "LOW", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2020-09-11T18:15:13.147", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/issues/68400"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.debian.org/security/2021/dsa-4950"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Hung Luong for reporting this issue.", "affected_release": [{"advisory": "RHSA-2020:3600", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el7", "package": "ansible-0:2.8.15-1.el7ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date": "2020-09-01T00:00:00Z"}, {"advisory": "RHSA-2020:3600", "cpe": "cpe:/a:redhat:ansible_engine:2.8::el8", "package": "ansible-0:2.8.15-1.el8ae", "product_name": "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date": "2020-09-01T00:00:00Z"}], "bugzilla": {"description": "Ansible: masked keys for uri module are exposed into content and json output", "id": "1856815", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1856815"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.0", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-532", "details": ["An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.", "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality."], "mitigation": {"lang": "en:us", "value": "There is no mitigation for this issue."}, "name": "CVE-2020-14330", "package_state": [{"cpe": "cpe:/a:redhat:ansible_tower:3", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Ansible Tower 3"}, {"cpe": "cpe:/a:redhat:ceph_storage:2", "fix_state": "Out of support scope", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 2"}, {"cpe": "cpe:/a:redhat:ceph_storage:3", "fix_state": "Affected", "package_name": "ansible", "product_name": "Red Hat Ceph Storage 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Out of support scope", "impact": "low", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:13", "fix_state": "Will not fix", "impact": "low", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 13 (Queens)"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat Storage 3"}], "public_date": "2020-03-23T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-14330\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14330\nhttps://github.com/ansible/ansible/issues/68400"], "statement": "Red Hat Ansible Engine 2.9.12 (downstream) and Ansible Engine 2.9.11 (upstream), as well as previous versions are affected by this flaw. Ansible Engine 2.9.12 version (upstream) on towards fixes the issue for upstream and Red Hat Ansible Engine 2.9.13 version is fixed (downstream).\nRed Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of Ansible, but they no longer maintain their own version of Ansible. Both the products will consume fixes directly from the Ansible repository. As we still ship Ansible separately for Ceph on Ubuntu, a future update may address this issue.\nIn Red Hat OpenStack Platform, because ansible is not directly customer exposed (so that the flaw could not be exploited) and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. Note: Red Hat Open Stack Platform 15 and newer consume fixes directly from the Ansible repository.", "threat_severity": "Moderate", "upstream_fix": "ansible-engine 2.9.12"}