Products
Ansible
Source
secalert@redhat.com
Tags
CVE-2024-8775 details
Published : Sept. 14, 2024, 3:15 a.m.
Last Modified : Sept. 14, 2024, 11:47 a.m.
Last Modified : Sept. 14, 2024, 11:47 a.m.
Description
A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.
CVSS Score
| 1 | 2 | 3 | 4 | 5.5 | 6 | 7 | 8 | 9 | 10 |
|---|
Weakness
| Weakness | Name | Description |
|---|---|---|
| CWE-532 | Insertion of Sensitive Information into Log File | Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information. |
CVSS Data
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
Base Score
5.5
Exploitability Score
1.8
Impact Score
3.6
Base Severity
MEDIUM
Vector String : CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
References
| URL | Source |
|---|---|
| https://access.redhat.com/security/cve/CVE-2024-8775 | secalert@redhat.com |
| https://bugzilla.redhat.com/show_bug.cgi?id=2312119 | secalert@redhat.com |
This website uses the NVD API, but is not approved or certified by it.