Bug 2312119 (CVE-2024-8775)

Summary: CVE-2024-8775 ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: achadha, adudiak, amctagga, aoconnor, bbuckingham, bniver, brking, caswilli, davidn, eglynn, ehelms, flucifre, ggainey, gmeno, gtanzill, haoli, hkataria, jcammara, jeder, jjoyce, jmitchel, jneedle, jsamir, jschluet, jtanner, juwatts, jwong, kaycoth, kpusdeka, kshier, lhh, lsvaty, luizcosta, mabashia, mbenjamin, mburns, mgarciac, mhackett, mhulan, michal.skrivanek, mminar, mperina, nmoumoul, nweather, omaciel, pbraun, pcreech, pgrist, rbiba, rbobbitt, rchan, rhos-maint, sbonazzo, simaishi, smcdonal, sostapov, sskracic, stcannon, sthirugn, teagle, tfister, thavo, vereddy, vkrizan, yguenane, zkayyali
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2312766, 2312165, 2312166, 2312167, 2312168, 2312169, 2312765    
Bug Blocks:    

Description OSIDB Bzimport 2024-09-13 09:11:31 UTC 
This CVE affects Ansible and is similar to CVE-2024-0690. The vulnerability arises due to improper handling of sensitive variables loaded from Ansible Vault files, potentially leading to the exposure of secret data during execution.
Comment 3 errata-xmlrpc 2024-11-06 17:12:36 UTC 
This issue has been addressed in the following products:

  Ansible Automation Platform Execution Environments

Via RHSA-2024:8969 https://access.redhat.com/errata/RHSA-2024:8969
Comment 4 errata-xmlrpc 2024-11-18 16:52:59 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.5 for RHEL 8
  Red Hat Ansible Automation Platform 2.5 for RHEL 9

Via RHSA-2024:9894 https://access.redhat.com/errata/RHSA-2024:9894
Comment 5 errata-xmlrpc 2024-12-03 16:17:16 UTC 
This issue has been addressed in the following products:

  Red Hat Ansible Automation Platform 2.4 for RHEL 8
  Red Hat Ansible Automation Platform 2.4 for RHEL 9

Via RHSA-2024:10762 https://access.redhat.com/errata/RHSA-2024:10762
Comment 6 Kunal Pusdekar 2025-01-14 18:56:11 UTC 
Hello Team, 

Is there any specific reason why the RHEL is not in the affected column? 

This is regarding the ansible-core form AppStream Repo.