Secrets are disclosed on logs due to display is hardcoded to DEBUG level. This causes 'no_log’ parameter is ignored on tasks.
Name: Paul Milbank (Pushpay Site Reliability Engineering), Harvey Rendell (Pushpay Site Reliability Engineering), Tom Henderson (Pushpay Site Reliability Engineering)
Is there any related upstream issue related to this issue or further information? The dependent issues are currently not accessible and we would like to determine which ansible versions in Debian are affected by this CVE.
It almost certainly does. Here's the upstream fix: https://github.com/ansible/ansible/pull/63366