Bug 1856815 (CVE-2020-14330)
| Summary: | CVE-2020-14330 Ansible: masked keys for uri module are exposed into content and json output | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | VERIFIED --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | a.badger, adudiak, bcoca, gblomqui, hvyas, jcammara, jjoyce, jschluet, kbasil, kevin, lhh, lpeer, mabashia, maxim, mburns, pcahyna, sclewis, slinaber, smcdonal, stcannon, tfister, tkuratom, tvignaud |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ansible-engine 2.9.12 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1856819, 1857185, 1857186, 1859484, 1859536, 1859843, 1867337, 1867882, 1867883, 1874346, 1874348, 1874350 | ||
| Bug Blocks: | 1856696 | ||
|
Description
Borja Tarraso
2020-07-14 13:59:10 UTC
External References: https://github.com/ansible/ansible/issues/68400 Mitigation: There is no mitigation for this issue. Acknowledgments: Name: Hung Luong Created ansible tracking bugs for this issue: Affects: epel-all [bug 1857185] Affects: fedora-all [bug 1857186] Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1859536] The correct upstream PR which fixes this particular issue is: https://github.com/ansible/ansible/pull/70762/ This has been fixed in 2.9.12 upstream and 2.9.13 downstream. Statement: Red Hat Ansible Engine 2.9.12 (downstream) and Ansible Engine 2.9.11 (upstream), as well as previous versions are affected by this flaw. Ansible Engine 2.9.12 version (upstream) on towards fixes the issue for upstream and Red Hat Ansible Engine 2.9.13 version is fixed (downstream). Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of Ansible, but they no longer maintain their own version of Ansible. Both the products will consume fixes directly from the Ansible repository. As we still ship Ansible separately for Ceph on Ubuntu, a future update may address this issue. In Red Hat OpenStack Platform, because ansible is not directly customer exposed (so that the flaw could not be exploited) and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. Note: Red Hat Open Stack Platform 15 and newer consume fixes directly from the Ansible repository. |