Hide Forgot
It was found that variables from vault are being printed to the console/log during the ansible run when using with_items, potentially exposing security-sensitive data. Upstream bug: https://github.com/ansible/ansible/issues/14646
Created ansible1.9 tracking bugs for this issue: Affects: fedora-all [bug 1403230] Affects: epel-all [bug 1403232]
Created ansible tracking bugs for this issue: Affects: fedora-all [bug 1403229] Affects: epel-all [bug 1403231]
> From: Kurt Seifried > Ok just to confirm once you set this in the playbook (no_log) it can only > be overridden by the env var correct? > > "Note that the use of the no_log attribute does not prevent data from > being shown when debugging Ansible itself via the ANSIBLE_DEBUG > environment variable." > > however both of these are essentially under administrative control on the > ansible server, by users that would also have access to the ansible vault, > correct? Correct - passing ANSIBLE_DEBUG implies you're running the playbook, and to run the playbook, you'd have access to the vault file and would need the vault password to decrypt it anyway. Hide quoted text > If so there is no trust boundary violation, so this is not a security > vulnerability, so no CVE/etc. It could be seen potentially as something > to harden, but that would be at your discretion essentially (and in this > case it appears to not even be something that should be hardened as it > already has been via no_log essentially). > > If confirmed I'll close it out on my side. Thanks! Bill
*** Bug 1743217 has been marked as a duplicate of this bug. ***