Bug 1856815 (CVE-2020-14330) - CVE-2020-14330 Ansible: masked keys for uri module are exposed into content and json output
Summary: CVE-2020-14330 Ansible: masked keys for uri module are exposed into content a...
Keywords:
Status: VERIFIED
Alias: CVE-2020-14330
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 1856819 1857185 1857186 1859484 1859536 1859843 1867337 1867882 1867883 1874346 1874348 1874350
Blocks: 1856696
TreeView+ depends on / blocked
 
Reported: 2020-07-14 13:59 UTC by Borja Tarraso
Modified: 2023-07-07 08:30 UTC (History)
23 users (show)

Fixed In Version: ansible-engine 2.9.12
Doc Type: If docs needed, set a value
Doc Text:
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description Borja Tarraso 2020-07-14 13:59:10 UTC 
In Ansible Engine, when using uri module keys are not properly masked and sensitive data is exposed into content and json output.
Comment 1 Borja Tarraso 2020-07-14 13:59:13 UTC 
External References:

https://github.com/ansible/ansible/issues/68400
Comment 2 Borja Tarraso 2020-07-14 13:59:16 UTC 
Mitigation:

There is no mitigation for this issue.
Comment 5 Borja Tarraso 2020-07-15 08:44:53 UTC 
Acknowledgments:

Name: Hung Luong
Comment 6 Borja Tarraso 2020-07-15 11:14:44 UTC 
Created ansible tracking bugs for this issue:

Affects: epel-all [bug 1857185]
Affects: fedora-all [bug 1857186]
Comment 8 Borja Tarraso 2020-07-22 11:03:26 UTC 
Created ansible tracking bugs for this issue:

Affects: openstack-rdo [bug 1859536]
Comment 12 Borja Tarraso 2020-07-23 07:43:23 UTC 
The correct upstream PR which fixes this particular issue is: https://github.com/ansible/ansible/pull/70762/
Comment 19 Borja Tarraso 2020-10-05 15:34:29 UTC 
This has been fixed in 2.9.12 upstream and 2.9.13 downstream.
Comment 21 Summer Long 2021-01-18 01:27:46 UTC 
Statement:

Red Hat Ansible Engine 2.9.12 (downstream) and Ansible Engine 2.9.11 (upstream), as well as previous versions are affected by this flaw. Ansible Engine 2.9.12 version (upstream) on towards fixes the issue for upstream and Red Hat Ansible Engine 2.9.13 version is fixed (downstream).

Red Hat Gluster Storage 3 and Red Hat Ceph Storage 3 ships the affected version of Ansible, but they no longer maintain their own version of Ansible. Both the products will consume fixes directly from the Ansible repository. As we still ship Ansible separately for Ceph on Ubuntu, a future update may address this issue.

In Red Hat OpenStack Platform, because ansible is not directly customer exposed (so that the flaw could not be exploited) and the fix would require a substantial amount of development, no update will be provided at this time for the RHOSP ansible package. Note: Red Hat Open Stack Platform 15 and newer consume fixes directly from the Ansible repository.
Note You need to log in before you can comment on or make changes to this bug.