Bug 1857805 (CVE-2020-14332)
Summary: | CVE-2020-14332 Ansible: module_args does not censor properly in --check mode | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Borja Tarraso <btarraso> |
Component: | vulnerability | Assignee: | Nobody <nobody> |
Status: | VERIFIED --- | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | a.badger, bcoca, gblomqui, gsuckevi, hvyas, jcammara, jjoyce, jschluet, kbasil, kevin, lhh, lpeer, mabashia, maxim, mburns, mcepl, pcahyna, sclewis, slinaber, smcdonal, tkuratom, tvignaud |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | ansible-engine 2.9.12, ansible-engine 2.8.14 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | Type: | --- | |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1859535, 1857808, 1857817, 1857818, 1859485, 1867905, 1867906, 1874346, 1874348, 1874350 | ||
Bug Blocks: | 1856460 |
Description
Borja Tarraso
2020-07-16 15:29:59 UTC
Created ansible tracking bugs for this issue: Affects: epel-all [bug 1857817] Affects: fedora-all [bug 1857818] Created ansible tracking bugs for this issue: Affects: openstack-rdo [bug 1859535] Upstream Fix: https://github.com/ansible/ansible/pull/71033 Statement: The version of ansible provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3 does not contain the vulnerable functionality and is not affected by this vulnerability. Additionally, these storage products no longer maintains their own version of ansible and fixes are consumed from core Ansible repository. External References: https://github.com/ansible/ansible/pull/71033 |