CVE-2019-10217

Name
CVE-2019-10217
Description
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
NVD Severity
medium
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
Exploit https://github.com/ansible/ansible/issues/56269
Third Party Advisory https://github.com/ansible/ansible/pull/59427
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
SUSE http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:* ansible >= 2.8.0 < 2.8.4

Vulnerable and fixed packages

Source package Branch Version Maintainer Status