Closed
Description
CVE-2019-10217 references github.com/ansible/ansible, which may be a Go module.
Description:
A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.
References:
- NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-10217
- web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
- report: gcp_storage_object fails with service_account_contents option ansible/ansible#56269
- fix: gcp_utils: Handle JSON decode exception ansible/ansible#59427
- web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- Imported by: https://pkg.go.dev/github.com/ansible/ansible?tab=importedby
Cross references:
No existing reports found with this module or alias.
See doc/triage.md for instructions on how to triage this report.
modules:
- module: github.com/ansible/ansible
vulnerable_at: 2.15.5+incompatible
packages:
- package: Ansible
cves:
- CVE-2019-10217
references:
- web: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10217
- report: https://github.com/ansible/ansible/issues/56269
- fix: https://github.com/ansible/ansible/pull/59427
- web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- web: http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html