{ "threat_severity" : "Moderate", "public_date" : "2020-03-23T00:00:00Z", "bugzilla" : { "description" : "Ansible: masked keys for uri module are exposed into content and json output", "id" : "1856815", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1856815" }, "cvss3" : { "cvss3_base_score" : "5.0", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-532", "details" : [ "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.", "An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality." ], "statement" : "Red Hat Ansible Engine 2.9.12 (downstream) and Ansible Engine 2.9.11 (upstream), as well as previous versions are affected by this flaw. Ansible Engine 2.9.12 version (upstream) on towards fixes the issue for upstream and Red Hat Ansible Engine 2.9.13 version is fixed (downstream).\nRed Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of Ansible, but they no longer maintain their own version of Ansible. Both the products will consume fixes directly from the Ansible repository. As we still ship Ansible separately for Ceph on Ubuntu, a future update may address this issue.\nIn Red Hat OpenStack Platform, because ansible is not directly customer exposed (so that the flaw could not be exploited) and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. Note: Red Hat Open Stack Platform 15 and newer consume fixes directly from the Ansible repository.", "acknowledgement" : "Red Hat would like to thank Hung Luong for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date" : "2020-09-01T00:00:00Z", "advisory" : "RHSA-2020:3600", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7", "package" : "ansible-0:2.8.15-1.el7ae" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date" : "2020-09-01T00:00:00Z", "advisory" : "RHSA-2020:3600", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8", "package" : "ansible-0:2.8.15-1.el8ae" } ], "package_state" : [ { "product_name" : "Red Hat Ansible Tower 3", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ansible_tower:3" }, { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:10", "impact" : "low" }, { "product_name" : "Red Hat OpenStack Platform 13 (Queens)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:13", "impact" : "low" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14330\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14330\nhttps://github.com/ansible/ansible/issues/68400" ], "name" : "CVE-2020-14330", "mitigation" : { "value" : "There is no mitigation for this issue.", "lang" : "en:us" }, "csaw" : false }