CVE-2024-0690
06.02.2024, 12:15
An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.Enginsight
| Vendor | Product | Version |
|---|---|---|
| redhat | ansible | 𝑥 < 2.14.4 |
| redhat | ansible | 2.15.0 ≤ 𝑥 < 2.15.9 |
| redhat | ansible | 2.16.0 ≤ 𝑥 < 2.16.3 |
| redhat | enterprise_linux | 8.0 |
| redhat | enterprise_linux | 9.0 |
| redhat | ansible_automation_platform | 2.4 |
| redhat | ansible_developer | 1.1 |
| redhat | ansible_inside | 1.2 |
𝑥
= Vulnerable software versions
Debian Releases
Debian Product | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| ansible |
| ||||||||||
| ansible-core |
|
Ubuntu Releases
Ubuntu Product | |||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ansible |
| ||||||||||||||||||||
| ansible-core |
|
Common Weakness Enumeration
- CWE-117 - Improper Output Neutralization for LogsThe software does not neutralize or incorrectly neutralizes output that is written to logs.
- CWE-116 - Improper Encoding or Escaping of OutputThe software prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved.
References