GHSA-jwcc-j78w-j73w

Suggest an improvement
Source
https://github.com/advisories/GHSA-jwcc-j78w-j73w
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/10/GHSA-jwcc-j78w-j73w/GHSA-jwcc-j78w-j73w.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-jwcc-j78w-j73w
Aliases
Published
2018-10-10T17:23:20Z
Modified
2024-11-25T05:27:05.840340Z
Severity
  • 5.9 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Ansible exposes sensitive data in log files and on the terminal
Details

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the nolog task flag for failed tasks. When the nolog flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Database specific
{
    "nvd_published_at": "2018-07-03T01:29:00Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:44:13Z"
}
References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.5.0a1
Fixed
2.5.5

Affected versions

2.*

2.5.0a1
2.5.0b1
2.5.0b2
2.5.0rc1
2.5.0rc2
2.5.0rc3
2.5.0
2.5.1
2.5.2
2.5.3
2.5.4

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.4.0.0
Fixed
2.4.5.0

Affected versions

2.*

2.4.0.0
2.4.1.0
2.4.2.0
2.4.3.0
2.4.4.0