{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-8775", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-09-13T09:06:07.367Z", "datePublished": "2024-09-14T02:15:14.907Z", "dateUpdated": "2024-11-11T17:38:13.547Z"}, "containers": {"cna": {"title": "Ansible-core: exposure of sensitive information in ansible vault files due to improper logging", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions."}], "affected": [{"vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform/ansible-builder-rhel8", "defaultStatus": "affected", "versions": [{"version": "1.2.0-91", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"]}, {"vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform/ansible-builder-rhel9", "defaultStatus": "affected", "versions": [{"version": "3.0.1-95", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"]}, {"vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform/ee-29-rhel8", "defaultStatus": "affected", "versions": [{"version": "2.9.27-32", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"]}, {"vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform/ee-minimal-rhel8", "defaultStatus": "affected", "versions": [{"version": "2.16.13-1", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"]}, {"vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "collectionURL": "https://catalog.redhat.com/software/containers/", "packageName": "ansible-automation-platform/ee-minimal-rhel9", "defaultStatus": "affected", "versions": [{"version": "2.15.12-17", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-core", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:ansible_automation_platform:2"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "rhelai1/bootc-nvidia-rhel9", "defaultStatus": "affected", "cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:8969", "name": "RHSA-2024:8969", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8775", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119", "name": "RHBZ#2312119", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "datePublic": "2024-09-13T08:35:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "Insertion of Sensitive Information into Log File", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-532: Insertion of Sensitive Information into Log File", "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "timeline": [{"lang": "en", "time": "2024-09-13T08:31:27.781000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-13T08:35:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-11T17:38:13.547Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-16T14:21:23.423396Z", "id": "CVE-2024-8775", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T14:29:01.960Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-8775", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-09-16T14:21:23.423396Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-16T14:28:57.342Z"}}], "cna": {"title": "Ansible-core: exposure of sensitive information in ansible vault files due to improper logging", "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"], "vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "versions": [{"status": "unaffected", "version": "1.2.0-91", "lessThan": "*", "versionType": "rpm"}], "packageName": "ansible-automation-platform/ansible-builder-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"], "vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "versions": [{"status": "unaffected", "version": "3.0.1-95", "lessThan": "*", "versionType": "rpm"}], "packageName": "ansible-automation-platform/ansible-builder-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"], "vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "versions": [{"status": "unaffected", "version": "2.9.27-32", "lessThan": "*", "versionType": "rpm"}], "packageName": "ansible-automation-platform/ee-29-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"], "vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "versions": [{"status": "unaffected", "version": "2.16.13-1", "lessThan": "*", "versionType": "rpm"}], "packageName": "ansible-automation-platform/ee-minimal-rhel8", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:ee::el8", "cpe:/a:redhat:ansible_automation_platform:ee::el9"], "vendor": "Red Hat", "product": "Ansible Automation Platform Execution Environments", "versions": [{"status": "unaffected", "version": "2.15.12-17", "lessThan": "*", "versionType": "rpm"}], "packageName": "ansible-automation-platform/ee-minimal-rhel9", "collectionURL": "https://catalog.redhat.com/software/containers/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:ansible_automation_platform:2"], "vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2", "packageName": "ansible-core", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux_ai:1"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux AI (RHEL AI)", "packageName": "rhelai1/bootc-nvidia-rhel9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}], "timeline": [{"lang": "en", "time": "2024-09-13T08:31:27.781000+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-09-13T08:35:00+00:00", "value": "Made public."}], "datePublic": "2024-09-13T08:35:00+00:00", "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:8969", "name": "RHSA-2024:8969", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-8775", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119", "name": "RHBZ#2312119", "tags": ["issue-tracking", "x_refsource_REDHAT"]}], "workarounds": [{"lang": "en", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-532", "description": "Insertion of Sensitive Information into Log File"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-11T17:38:13.547Z"}, "x_redhatCweChain": "CWE-532: Insertion of Sensitive Information into Log File"}}, "cveMetadata": {"cveId": "CVE-2024-8775", "state": "PUBLISHED", "dateUpdated": "2024-11-11T17:38:13.547Z", "dateReserved": "2024-09-13T09:06:07.367Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2024-09-14T02:15:14.907Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions."}, {"lang": "es", "value": "Se encontr\u00f3 una falla en Ansible, donde la informaci\u00f3n confidencial almacenada en archivos de Ansible Vault puede quedar expuesta en texto plano durante la ejecuci\u00f3n de un playbook. Esto ocurre cuando se usan tareas como include_vars para cargar variables almacenadas sin configurar el par\u00e1metro no_log: true, lo que da como resultado que se impriman datos confidenciales en la salida o los registros del playbook. Esto puede provocar la divulgaci\u00f3n involuntaria de secretos como contrase\u00f1as o claves API, lo que compromete la seguridad y potencialmente permite el acceso o las acciones no autorizadas."}], "id": "CVE-2024-8775", "lastModified": "2024-11-06T20:15:06.763", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-09-14T03:15:08.987", "references": [{"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:8969"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/security/cve/CVE-2024-8775"}, {"source": "secalert@redhat.com", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:8969", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ansible-builder-rhel8:1.2.0-91", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2024-11-06T00:00:00Z"}, {"advisory": "RHSA-2024:8969", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ansible-builder-rhel9:3.0.1-95", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2024-11-06T00:00:00Z"}, {"advisory": "RHSA-2024:8969", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-29-rhel8:2.9.27-32", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2024-11-06T00:00:00Z"}, {"advisory": "RHSA-2024:8969", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-minimal-rhel8:2.17.6-1", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2024-11-06T00:00:00Z"}, {"advisory": "RHSA-2024:8969", "cpe": "cpe:/a:redhat:ansible_automation_platform:ee::el8", "package": "ansible-automation-platform/ee-minimal-rhel9:2.17.6-2", "product_name": "Ansible Automation Platform Execution Environments", "release_date": "2024-11-06T00:00:00Z"}], "bugzilla": {"description": "ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging", "id": "2312119", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2312119"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "cwe": "CWE-532", "details": ["A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.", "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2024-8775", "package_state": [{"cpe": "cpe:/a:redhat:ansible_automation_platform:2", "fix_state": "Affected", "package_name": "ansible-core", "product_name": "Red Hat Ansible Automation Platform 2"}, {"cpe": "cpe:/a:redhat:enterprise_linux_ai:1", "fix_state": "Affected", "package_name": "rhelai1/bootc-nvidia-rhel9", "product_name": "Red Hat Enterprise Linux AI (RHEL AI)"}], "public_date": "2024-09-13T08:35:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2024-8775\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8775"], "statement": "This issue is classified as moderate rather than important because while it does expose sensitive information during playbook execution, the exposure is limited to logs and output generated during the run, which is typically accessible only to authorized users with sufficient privileges. The flaw does not result in an immediate or direct compromise of systems, as no remote exploitation vector is introduced. Additionally, the risk can be mitigated through proper configuration (`no_log: true`) and access control measures, reducing the likelihood of unauthorized access to the logged data. However, the unintentional disclosure of secrets like passwords or API keys still presents a potential risk for privilege escalation or lateral movement within an environment, justifying a moderate severity rating.", "threat_severity": "Moderate"}