GHSA-3m93-m4q6-mc6v

Suggest an improvement
Source
https://github.com/advisories/GHSA-3m93-m4q6-mc6v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/02/GHSA-3m93-m4q6-mc6v/GHSA-3m93-m4q6-mc6v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3m93-m4q6-mc6v
Aliases
Published
2020-02-26T19:54:31Z
Modified
2024-09-04T20:32:54.727544Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Inclusion of Sensitive Information in Log Files and Improper Output Neutralization for Logs in Ansible
Details

Ansible, versions 2.9.x before 2.9.1, 2.8.x before 2.8.7 and Ansible versions 2.7.x before 2.7.15, is not respecting the flag no_log set it to True when Sumologic and Splunk callback plugins are used send tasks results events to collectors. This would discloses and collects any sensitive data.

Database specific
{
    "nvd_published_at": "2020-01-02T15:15:00Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2020-02-25T02:19:23Z"
}
References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0a1
Fixed
2.7.15

Affected versions

2.*

2.7.0a1
2.7.0b1
2.7.0rc1
2.7.0rc2
2.7.0rc3
2.7.0rc4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0a1
Fixed
2.8.7

Affected versions

2.*

2.8.0a1
2.8.0b1
2.8.0rc1
2.8.0rc2
2.8.0rc3
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.9.0a1
Fixed
2.9.1

Affected versions

2.*

2.9.0b1
2.9.0rc1
2.9.0rc2
2.9.0rc3
2.9.0rc4
2.9.0rc5
2.9.0