Bug 1732623 (CVE-2019-10206)
| Summary: | CVE-2019-10206 Ansible: disclosure data when prompted for password and template characters are passed | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bcoca, dbecker, jcammara, jjoyce, jschluet, jtanner, kbasil, lhh, lpeer, mburns, puebele, rhos-maint, sclewis, security-response-team, sisharma, slinaber, tkuratom, tvignaud, vbellur |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.8.4, ansible-engine 2.7.13, ansible-engine 2.6.19 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-21 20:47:12 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1732624, 1743498, 1743499, 1743500, 1747979, 1747980, 1747981, 1748852 | ||
| Bug Blocks: | 1732617 | ||
|
Description
Borja Tarraso
2019-07-23 22:13:47 UTC
Acknowledgments: Name: Paul Rubin Fix got merged into development https://github.com/ansible/ansible/pull/59246 backports: 2.8.x https://github.com/ansible/ansible/pull/59552 2.7.x https://github.com/ansible/ansible/pull/59553 2.6.x https://github.com/ansible/ansible/pull/59554 This issue has been addressed in the following products: Red Hat Ansible Engine 2.7 for RHEL 7 Via RHSA-2019:2544 https://access.redhat.com/errata/RHSA-2019:2544 This issue has been addressed in the following products: Red Hat Ansible Engine 2.6 for RHEL 7 Via RHSA-2019:2545 https://access.redhat.com/errata/RHSA-2019:2545 This issue has been addressed in the following products: Red Hat Ansible Engine 2 for RHEL 7 Red Hat Ansible Engine 2 for RHEL 8 Via RHSA-2019:2543 https://access.redhat.com/errata/RHSA-2019:2543 This issue has been addressed in the following products: Red Hat Ansible Engine 2.8 for RHEL 7 Red Hat Ansible Engine 2.8 for RHEL 8 Via RHSA-2019:2542 https://access.redhat.com/errata/RHSA-2019:2542 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10206 Gluster uses Ansible package from Ansible repository and hence it will consume fixes from core Ansible. For Ceph-3 we still maintain Ansible atleast for Ubuntu, Ceph-2 has reached end of life and hence out of support scope. The vulnerable code was included in all versions shipped with OpenStack 10, 13 and 14. This issue has been addressed in the following products: Red Hat OpenStack Platform 14.0 (Rocky) Via RHSA-2019:3744 https://access.redhat.com/errata/RHSA-2019:3744 This issue has been addressed in the following products: Red Hat OpenStack Platform 13.0 (Queens) Via RHSA-2019:3789 https://access.redhat.com/errata/RHSA-2019:3789 External References: https://github.com/ansible/ansible/pull/59246 |