Bug 2418774 (CVE-2025-14010)

Summary: CVE-2025-14010 ansible-collection-community-general: ansible-collection-community-general: Keycloak user module leaks credentials in verbose output
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, eglynn, flucifre, gmeno, groman, jjoyce, jschluet, lhh, lsvaty, mbenjamin, mburns, mgarciac, mhackett, pgrist, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in ansible-collection-community-general. This vulnerability allows for information exposure (IE) of sensitive credentials, specifically plaintext passwords, via verbose output when running Ansible with debug modes. Attackers with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2418776, 2418777, 2418778, 2418779, 2418780    
Bug Blocks:    

Description OSIDB Bzimport 2025-12-04 09:34:04 UTC 
This vulnerability arises from the community.general.keycloak_user module exposing the credentials[].value field in verbose output. Because this field typically contains plaintext passwords, running Ansible with -vvv or similar debug modes inadvertently leaks sensitive credentials. Attackers or unauthorized users with access to logs could retrieve these secrets and potentially compromise Keycloak accounts or administrative access.