CVE-2024-0690: Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration
First published: Thu Jan 18 2024(Updated: )
An information disclosure flaw was found in ansible-core due to a failure to respect the `ANSIBLE_NO_LOG` configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/ansible | <2.14.4 | 2.14.4 |
| redhat/ansible | <2.15.9 | 2.15.9 |
| redhat/ansible | <2.16.3 | 2.16.3 |
| pip/ansible-core | >=2.15.0<2.15.9 | 2.15.9 |
| pip/ansible-core | >=2.16.0<2.16.3 | 2.16.3 |
| pip/ansible-core | <2.14.14 | 2.14.14 |
| Ansible | <2.14.4 | |
| Ansible | >=2.15.0<2.15.9 | |
| Ansible | >=2.16.0<2.16.3 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| All of | ||
| Any of | ||
| redhat ANSIBLE automation platform | =2.4 | |
| Red Hat Ansible Developer | =1.1 | |
| Red Hat Ansible Inside | =1.2 | |
| Any of | ||
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 | |
| Fedora | =38 | |
| Fedora | =39 | |
| IBM Db2 Warehouse | <=v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/errata/RHSA-2024:0733
- https://access.redhat.com/errata/RHSA-2024:2246
- https://access.redhat.com/errata/RHSA-2024:3043
- https://access.redhat.com/security/cve/CVE-2024-0690
- https://bugzilla.redhat.com/show_bug.cgi?id=2259013
- https://github.com/ansible/ansible/pull/82565
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2259021
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2259029
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2259030
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2259031
- https://exchange.xforce.ibmcloud.com/vulnerabilities/280711
- https://www.ibm.com/support/pages/node/7155078 (Advisory)
- https://nvd.nist.gov/vuln/detail/CVE-2024-0690
- https://github.com/ansible/ansible/commit/6935c8e303440addd3871ecf8e04bde61080b032
- https://github.com/ansible/ansible/commit/78db3a3de6b40fb52d216685ae7cb903c609c3e1
- https://github.com/ansible/ansible/commit/b9a03bbf5a63459468baf8895ff74a62e9be4532
- https://github.com/ansible/ansible/commit/beb04bc2642c208447c5a936f94310528a1946b1
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible-core/PYSEC-2024-36.yaml
- https://github.com/advisories/GHSA-h24r-m9qc-pvpg (Advisory)
- https://security.netapp.com/advisory/ntap-20250117-0001
- https://security.netapp.com/advisory/ntap-20250117-0001/
Frequently Asked Questions
What is the severity of CVE-2024-0690?
CVE-2024-0690 has been classified as an information disclosure vulnerability in ansible-core.
How do I fix CVE-2024-0690?
To remediate CVE-2024-0690, update ansible-core to versions 2.14.4, 2.15.9, or 2.16.3.
What software is affected by CVE-2024-0690?
CVE-2024-0690 affects versions of ansible-core up to 2.14.4, versions between 2.15.0 and up to 2.15.9, and between 2.16.0 and up to 2.16.3.
Can I still use ansible-core if it's affected by CVE-2024-0690?
While you can still use affected versions, it is strongly recommended to upgrade to mitigate the risk associated with CVE-2024-0690.
What products are also impacted by CVE-2024-0690?
In addition to ansible-core, IBM's Db2 on Cloud Pak for Data and applications using affected versions of ansible may also be impacted by CVE-2024-0690.
- agent/title
- agent/type
- agent/first-publish-date
- agent/author
- agent/remedy
- agent/weakness
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2024-0690
- agent/software-canonical-lookup
- agent/severity
- agent/description
- agent/trending
- collector/mitre-cve
- source/MITRE
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h24r-m9qc-pvpg
- agent/last-modified-date
- agent/references
- agent/source
- collector/github-advisory
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/tags
- agent/softwarecombine
- collector/ibm-support
- source/IBM
- package-manager/redhat
- package-manager/pip
- vendor/redhat
- canonical/ansible
- version/ansible/2.15.0
- version/ansible/2.16.0
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0
- canonical/redhat ansible automation platform
- version/redhat ansible automation platform/2.4
- canonical/red hat ansible developer
- version/red hat ansible developer/1.1
- canonical/red hat ansible inside
- version/red hat ansible inside/1.2
- vendor/fedoraproject
- canonical/fedora
- version/fedora/38
- version/fedora/39
- vendor/ibm
- canonical/ibm db2 warehouse
- version/ibm db2 warehouse/v3.5 through refresh 10v4.0 through refresh 9v4.5 through refresh 3v4.6 through refresh 6v4.7 through refresh 4v4.8 through refresh 4