Sensitive Data Exposure in Ansible Product by Red Hat
CVE-2018-10855

5.9MEDIUM

Key Information:

Vendor: [unknown]
Status: Ansible
Vendor: CVE Published:; 3 July 2018

What is CVE-2018-10855?

The Ansible automation tool versions 2.5 and 2.4 prior to their respective patch releases fail to respect the no_log flag for tasks that encounter errors. This oversight can lead to sensitive data being logged and displayed in the terminal, posing a security risk as it may expose critical information to unauthorized users. Users must apply the necessary updates to mitigate this vulnerability and safeguard their data.

Affected Version(s)

ansible Ansible 2.4.5

ansible Ansible 2.5.5

References

https://access.redhat.com/errata/RHSA-2018:1949

vendor-advisoryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855

x_refsource_CONFIRM

https://access.redhat.com/errata/RHBA-2018:3788

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

CVSS V3.0

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 3, 2018
Vulnerability Reserved
May 9, 2018

CVE-2018-10855 Data

JSON

[unknown]

What is CVE-2018-10855?

Affected Version(s)

References

CVSS V3.1

CVSS V3.0

Timeline