{ "threat_severity" : "Moderate", "public_date" : "2019-07-24T00:00:00Z", "bugzilla" : { "description" : "Ansible: disclosure data when prompted for password and template characters are passed", "id" : "1732623", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1732623" }, "cvss3" : { "cvss3_base_score" : "6.4", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N", "status" : "verified" }, "cwe" : "CWE-522", "details" : [ "ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.", "A data disclosure flaw was found in ansible. Password prompts in ansible-playbook and ansible-cli tools could expose passwords with special characters as they are not properly wrapped. A password with special characters is exposed starting with the first of these special characters. The highest threat from this vulnerability is to data confidentiality." ], "acknowledgement" : "Red Hat would like to thank Paul Rubin for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Ansible Engine 2.6 for RHEL 7", "release_date" : "2019-08-21T00:00:00Z", "advisory" : "RHSA-2019:2545", "cpe" : "cpe:/a:redhat:ansible_engine:2.6::el7", "package" : "ansible-0:2.6.19-1.el7ae", "impact" : "moderate" }, { "product_name" : "Red Hat Ansible Engine 2.7 for RHEL 7", "release_date" : "2019-08-21T00:00:00Z", "advisory" : "RHSA-2019:2544", "cpe" : "cpe:/a:redhat:ansible_engine:2.7::el7", "package" : "ansible-0:2.7.13-1.el7ae", "impact" : "moderate" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7", "release_date" : "2019-08-21T00:00:00Z", "advisory" : "RHSA-2019:2542", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7", "package" : "ansible-0:2.8.4-1.el7ae", "impact" : "moderate" }, { "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8", "release_date" : "2019-08-21T00:00:00Z", "advisory" : "RHSA-2019:2542", "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8", "package" : "ansible-0:2.8.4-1.el8ae", "impact" : "moderate" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 7", "release_date" : "2019-08-21T00:00:00Z", "advisory" : "RHSA-2019:2543", "cpe" : "cpe:/a:redhat:ansible_engine:2::el7", "package" : "ansible-0:2.8.4-1.el7ae", "impact" : "moderate" }, { "product_name" : "Red Hat Ansible Engine 2 for RHEL 8", "release_date" : "2019-08-21T00:00:00Z", "advisory" : "RHSA-2019:2543", "cpe" : "cpe:/a:redhat:ansible_engine:2::el8", "package" : "ansible-0:2.8.4-1.el8ae", "impact" : "moderate" }, { "product_name" : "Red Hat OpenStack Platform 13.0 (Queens)", "release_date" : "2019-11-07T00:00:00Z", "advisory" : "RHSA-2019:3789", "cpe" : "cpe:/a:redhat:openstack:13::el7", "package" : "ansible-0:2.6.19-1.el7ae" }, { "product_name" : "Red Hat OpenStack Platform 14.0 (Rocky)", "release_date" : "2019-11-06T00:00:00Z", "advisory" : "RHSA-2019:3744", "cpe" : "cpe:/a:redhat:openstack:14::el7", "package" : "ansible-0:2.6.19-1.el7ae" } ], "package_state" : [ { "product_name" : "Red Hat Ceph Storage 2", "fix_state" : "Out of support scope", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat OpenStack Platform 10 (Newton)", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:openstack:10" }, { "product_name" : "Red Hat Storage 3", "fix_state" : "Will not fix", "package_name" : "ansible", "cpe" : "cpe:/a:redhat:storage:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-10206\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-10206\nhttps://github.com/ansible/ansible/pull/59246" ], "name" : "CVE-2019-10206", "csaw" : false }