{
  "threat_severity" : "Moderate",
  "public_date" : "2020-07-16T00:00:00Z",
  "bugzilla" : {
    "description" : "Ansible: module_args does not censor properly in --check mode",
    "id" : "1857805",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1857805"
  },
  "cvss3" : {
    "cvss3_base_score" : "5.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-215",
  "details" : [ "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.", "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality." ],
  "statement" : "The version of ansible provided in Red Hat Gluster Storage 3, Red Hat Ceph Storage 2 and 3 does not contain the vulnerable functionality and is not affected by this vulnerability. Additionally, these storage products no longer maintains their own version of ansible and fixes are consumed from core Ansible repository.",
  "affected_release" : [ {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 7",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3600",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el7",
    "package" : "ansible-0:2.8.15-1.el7ae"
  }, {
    "product_name" : "Red Hat Ansible Engine 2.8 for RHEL 8",
    "release_date" : "2020-09-01T00:00:00Z",
    "advisory" : "RHSA-2020:3600",
    "cpe" : "cpe:/a:redhat:ansible_engine:2.8::el8",
    "package" : "ansible-0:2.8.15-1.el8ae"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Ansible Tower 3",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ansible_tower:3"
  }, {
    "product_name" : "Red Hat Ceph Storage 2",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:2"
  }, {
    "product_name" : "Red Hat Ceph Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:ceph_storage:3"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Out of support scope",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Storage 3",
    "fix_state" : "Not affected",
    "package_name" : "ansible",
    "cpe" : "cpe:/a:redhat:storage:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14332\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14332\nhttps://github.com/ansible/ansible/pull/71033" ],
  "name" : "CVE-2020-14332",
  "csaw" : false
}