Fedora Account System
Red Hat Associate
Red Hat Customer
api_key and api_secret are declared no_log=True at the input level, but both credentials are immediately URL-encoded into a GET request as query parameters, bypassing all no_log protection
A flaw was found in the community.general Ansible collection's nexmo module (plugins/modules/nexmo.py). The send_msg() function constructs the Vonage REST API URL by encoding all message parameters — including api_key and api_secret — into the URL query string using urlencode(), then makes a GET request via fetch_url(). While the module's Ansible argument specification correctly declares api_key and api_secret with no_log=True (preventing Ansible from logging the raw parameter values in task output), the module's own HTTP implementation embeds the credentials directly in the request URL. This exposes the credentials through multiple channels: (1) web server and reverse proxy access logs, which routinely record full request URLs; (2) HTTP Referer headers sent to downstream servers; (3) network packet inspection and monitoring tools; (4) Ansible callback plugins or verbose output that may log the URL. The Vonage REST API supports POST requests with credentials in the request body, making this a correctable implementation deficiency. The vulnerability affects all versions of community.general that include the nexmo module, confirmed back to at least version 6.3.0. The nexmo module is deprecated upstream and was removed in community.general 9.0.0, but older versions remain packaged in Red Hat product streams. Upstream: https://github.com/ansible-collections/community.general Affected version: all (confirmed back to 6.3.0) Fixed version: 9.0.0 (module removed; no in-place fix for older versions) Reporter: Bipin Saud / okBoss