GHSA-86hp-cj9j-33vv

Suggest an improvement
Source
https://github.com/advisories/GHSA-86hp-cj9j-33vv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2021/04/GHSA-86hp-cj9j-33vv/GHSA-86hp-cj9j-33vv.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-86hp-cj9j-33vv
Aliases
Published
2021-04-07T20:33:26Z
Modified
2024-09-09T21:31:13.734920Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
  • 6.8 (Medium) CVSS_V4 - CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
Insertion of Sensitive Information into Log File, Invocation of Process Using Visible Sensitive Information, and Exposure of Sensitive Information to an Unauthorized Actor in Ansible
Details

A security flaw was found in Ansible Engine, all Ansible 2.7.x versions prior to 2.7.17, all Ansible 2.8.x versions prior to 2.8.11 and all Ansible 2.9.x versions prior to 2.9.7, when managing kubernetes using the k8s module. Sensitive parameters such as passwords and tokens are passed to kubectl from the command line, not using an environment variable or an input configuration file. This will disclose passwords and tokens from process list and no_log directive from debug module would not have any effect making these secrets being disclosed on stdout and log files.

Database specific
{
    "nvd_published_at": "2020-03-16T15:15:00Z",
    "cwe_ids": [
        "CWE-200",
        "CWE-532"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2021-04-05T17:15:45Z"
}
References

Affected packages

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.7.0a1
Fixed
2.7.18

Affected versions

2.*

2.7.0a1
2.7.0b1
2.7.0rc1
2.7.0rc2
2.7.0rc3
2.7.0rc4
2.7.0
2.7.1
2.7.2
2.7.3
2.7.4
2.7.5
2.7.6
2.7.7
2.7.8
2.7.9
2.7.10
2.7.11
2.7.12
2.7.13
2.7.14
2.7.15
2.7.16
2.7.17

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.8.0a1
Fixed
2.8.12

Affected versions

2.*

2.8.0a1
2.8.0b1
2.8.0rc1
2.8.0rc2
2.8.0rc3
2.8.0
2.8.1
2.8.2
2.8.3
2.8.4
2.8.5
2.8.6
2.8.7
2.8.8
2.8.9
2.8.10
2.8.11

PyPI / ansible

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.9.0a1
Fixed
2.9.7

Affected versions

2.*

2.9.0b1
2.9.0rc1
2.9.0rc2
2.9.0rc3
2.9.0rc4
2.9.0rc5
2.9.0
2.9.1
2.9.2
2.9.3
2.9.4
2.9.5
2.9.6