Clear Text Passwords in Ansible Module Output and Log File
CVE-2024-53979

8.3HIGH

Key Information:

Vendor: Zhmcclient
Status: Zhmc-ansible-modules
Vendor: CVE Published:; 29 November 2024

What is CVE-2024-53979?

The IBM Z HMC Ansible Collection, specifically the 'ibm.ibm_zhmc', exhibits a vulnerability whereby sensitive information, including password-like properties, is logged in clear text. This occurs when certain properties such as 'boot_ftp_password', 'ssc_master_pw', 'zaware_master_pw', and 'bind_password' are utilized within various Ansible modules. The logged details can be exposed when the log file parameter is enabled, creating potential leaks of sensitive data. This issue has been addressed in version 1.9.3 of the 'ibm.ibm_zhmc' collection, and users are encouraged to upgrade to this version to mitigate risks associated with this vulnerability.

Affected Version(s)

zhmc-ansible-modules < 1.9.3

References

https://github.com/zhmcclient/zhmc-ansible-modules/securi...

x_refsource_CONFIRM

https://github.com/zhmcclient/zhmc-ansible-modules/commit...

x_refsource_MISC

CVSS V3.1

Score:

8.3

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 29, 2024
Vulnerability Reserved
Nov 25, 2024

Zhmcclient

What is CVE-2024-53979?

Affected Version(s)

References

CVSS V3.1

Timeline