CVE-2019-10217: Infoleak
First published: Fri Jul 26 2019(Updated: )
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Redhat Ansible | >=2.8.0<2.8.4 | |
| redhat/ansible-engine | <2.8.4 | 2.8.4 |
| pip/ansible | >=2.8.0a1<2.8.4 | 2.8.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
- https://github.com/ansible/ansible/issues/56269
- https://github.com/ansible/ansible/pull/59427
- https://github.com/ansible/ansible-stage/pull/7
- https://access.redhat.com/errata/RHSA-2019:2543
- https://access.redhat.com/errata/RHSA-2019:2542
- https://access.redhat.com/security/cve/cve-2019-10217
- https://bugzilla.redhat.com/show_bug.cgi?id=1733509
- https://nvd.nist.gov/vuln/detail/CVE-2019-10217
- https://github.com/ansible/ansible/commit/c1ee1f142db1e669b710a65147ea32be47a91519
- https://github.com/advisories/GHSA-p75j-wc34-527c (Advisory)
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-3.yaml
Frequently Asked Questions
What is the vulnerability ID of this flaw?
The vulnerability ID is CVE-2019-10217.
What is the severity of CVE-2019-10217?
The severity of CVE-2019-10217 is medium.
Which software version is affected by CVE-2019-10217?
The affected software version is ansible 2.8.0.
How can I fix CVE-2019-10217?
To fix CVE-2019-10217, upgrade ansible to version 2.8.4 or later.
Are there any references available for CVE-2019-10217?
Yes, the references for CVE-2019-10217 are available at the following links: [reference 1](https://github.com/ansible/ansible/issues/56269), [reference 2](https://github.com/ansible/ansible/pull/59427), [reference 3](https://github.com/ansible/ansible-stage/pull/7).
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2019-10217
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-p75j-wc34-527c
- agent/severity
- agent/references
- agent/last-modified-date
- agent/softwarecombine
- agent/event
- collector/nvd-cve
- source/NVD
- agent/author
- agent/tags
- collector/github-advisory
- vendor/redhat
- canonical/redhat ansible
- version/redhat ansible/2.8.0
- package-manager/redhat
- package-manager/pip