Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
CVE-2018-10855 - Medium Severity Vulnerability
Vulnerable Library - ansible-2.5.4.tar.gz
Radically simple IT automation
Library home page: https://files.pythonhosted.org/packages/6e/95/490f5e39ee7cc7956eecd070610f0a873b97781c9efdbf6098bad2ed3ee0/ansible-2.5.4.tar.gz
Path to dependency file: yugabyte-db/managed/devops/python3_requirements.txt
Path to vulnerable library: yugabyte-db/managed/devops/python3_requirements.txt,yugabyte-db/cloud/kubernetes/yb-multiregion-k8s
Dependency Hierarchy: - :x: **ansible-2.5.4.tar.gz** (Vulnerable Library)
Found in HEAD commit: d5a0ed9bff63893a5435e09333d22846f6bb3acc
Found in base branch: master
Vulnerability Details
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Publish Date: 2018-07-03
URL: CVE-2018-10855
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10855
Release Date: 2018-07-02
Fix Resolution: v2.4.5.0-0.1.rc1,v2.5.5