GHSA-cqmr-rcpr-cxh3

Suggest an improvement
Source
https://github.com/advisories/GHSA-cqmr-rcpr-cxh3
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-cqmr-rcpr-cxh3/GHSA-cqmr-rcpr-cxh3.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-cqmr-rcpr-cxh3
Aliases
Published
2022-05-24T17:01:46Z
Modified
2024-09-04T20:22:33.600697Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 7.1 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Ansible password prompts could expose passwords
Details

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0
Fixed
2.8.4

Affected versions

2.*

2.8.0
2.8.1
2.8.2
2.8.3

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0
Fixed
2.7.13

Affected versions

2.*

2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.6.0
Fixed
2.6.19

Affected versions

2.*

2.6.0
2.6.1
2.6.2
2.6.3
2.6.4
2.6.5
2.6.6
2.6.7
2.6.8
2.6.9
2.6.10
2.6.11
2.6.12
2.6.13
2.6.14
2.6.15
2.6.16
2.6.17
2.6.18