Impact
The community.general Ansible collection’s nexmo module constructs HTTP GET requests that embed the Vonage API key and secret into the query string. Although the module’s argument specification marks these parameters as no_log, the credentials are still transmitted in the URL and therefore appear in web server access logs, proxy logs, HTTP Referer headers, and network monitoring tools. This flaw is categorized as CWE‑532, resulting in the compromise of confidential credentials. Once obtained, an attacker can use the Vonage account to send arbitrary SMS messages or otherwise abuse the service, with no impact on the local system itself.
Affected Systems
The vulnerability affects Red Hat Enterprise Linux 8, 9, and 10 systems that run Ansible with the community.general collection and utilize the nexmo module. The affected product is the Ansible community.general collection, specifically the nexmo.py module used in Ansible playbooks and Automation Controller or AWX environments on those operating systems.
Risk and Exploitability
The CVSS score of 6.5 classifies the weakness as medium severity. Because the EPSS score is reported as less than 1 % and the vulnerability is not listed in the CISA KEV catalog, the likelihood of exploitation is low, though not impossible. An attacker only needs the ability to observe network traffic, capture verbose output, or read access logs to retrieve the exposed credentials. The attack is passive and requires no additional privilege on the target system.
OpenCVE Enrichment