{ "threat_severity" : "Moderate", "public_date" : "2024-09-13T08:35:00Z", "bugzilla" : { "description" : "ansible-core: Exposure of Sensitive Information in Ansible Vault Files Due to Improper Logging", "id" : "2312119", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2312119" }, "cvss3" : { "cvss3_base_score" : "5.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-532", "details" : [ "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.", "A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions." ], "statement" : "This issue is classified as moderate rather than important because while it does expose sensitive information during playbook execution, the exposure is limited to logs and output generated during the run, which is typically accessible only to authorized users with sufficient privileges. The flaw does not result in an immediate or direct compromise of systems, as no remote exploitation vector is introduced. Additionally, the risk can be mitigated through proper configuration (`no_log: true`) and access control measures, reducing the likelihood of unauthorized access to the logged data. However, the unintentional disclosure of secrets like passwords or API keys still presents a potential risk for privilege escalation or lateral movement within an environment, justifying a moderate severity rating.", "affected_release" : [ { "product_name" : "Ansible Automation Platform Execution Environments", "release_date" : "2024-11-06T00:00:00Z", "advisory" : "RHSA-2024:8969", "cpe" : "cpe:/a:redhat:ansible_core:2::el8", "package" : "ansible-automation-platform/ansible-builder-rhel8:1.2.0-91" }, { "product_name" : "Ansible Automation Platform Execution Environments", "release_date" : "2024-11-06T00:00:00Z", "advisory" : "RHSA-2024:8969", "cpe" : "cpe:/a:redhat:ansible_core:2::el8", "package" : "ansible-automation-platform/ansible-builder-rhel9:3.0.1-95" }, { "product_name" : "Ansible Automation Platform Execution Environments", "release_date" : "2024-11-06T00:00:00Z", "advisory" : "RHSA-2024:8969", "cpe" : "cpe:/a:redhat:ansible_core:2::el8", "package" : "ansible-automation-platform/ee-29-rhel8:2.9.27-32" }, { "product_name" : "Ansible Automation Platform Execution Environments", "release_date" : "2024-11-06T00:00:00Z", "advisory" : "RHSA-2024:8969", "cpe" : "cpe:/a:redhat:ansible_core:2::el8", "package" : "ansible-automation-platform/ee-minimal-rhel8:2.12.10-54" }, { "product_name" : "Ansible Automation Platform Execution Environments", "release_date" : "2024-11-06T00:00:00Z", "advisory" : "RHSA-2024:8969", "cpe" : "cpe:/a:redhat:ansible_core:2::el8", "package" : "ansible-automation-platform/ee-minimal-rhel9:2.15.12-17" }, { "product_name" : "Discovery 1 for RHEL 9", "release_date" : "2025-02-10T00:00:00Z", "advisory" : "RHSA-2025:1249", "cpe" : "cpe:/o:redhat:discovery:1.0::el9", "package" : "discovery/discovery-server-rhel9:1.12.0-1" }, { "product_name" : "Discovery 1 for RHEL 9", "release_date" : "2025-02-10T00:00:00Z", "advisory" : "RHSA-2025:1249", "cpe" : "cpe:/o:redhat:discovery:1.0::el9", "package" : "discovery/discovery-ui-rhel9:1.12.0-1" }, { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "release_date" : "2024-12-03T00:00:00Z", "advisory" : "RHSA-2024:10762", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el8", "package" : "ansible-core-1:2.15.13-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "release_date" : "2024-12-03T00:00:00Z", "advisory" : "RHSA-2024:10762", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "package" : "ansible-core-1:2.15.13-1.el9ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 8", "release_date" : "2024-11-18T00:00:00Z", "advisory" : "RHSA-2024:9894", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el8", "package" : "ansible-core-1:2.16.13-1.el8ap" }, { "product_name" : "Red Hat Ansible Automation Platform 2.5 for RHEL 9", "release_date" : "2024-11-18T00:00:00Z", "advisory" : "RHSA-2024:9894", "cpe" : "cpe:/a:redhat:ansible_automation_platform:2.5::el9", "package" : "ansible-core-1:2.16.13-1.el9ap" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 10", "fix_state" : "Affected", "package_name" : "ansible-core", "cpe" : "cpe:/o:redhat:enterprise_linux:10" }, { "product_name" : "Red Hat Enterprise Linux AI (RHEL AI)", "fix_state" : "Fix deferred", "package_name" : "rhelai1/bootc-nvidia-rhel9", "cpe" : "cpe:/a:redhat:enterprise_linux_ai:1" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2024-8775\nhttps://nvd.nist.gov/vuln/detail/CVE-2024-8775\nhttps://github.com/advisories/GHSA-jpxc-vmjf-9fcj" ], "name" : "CVE-2024-8775", "mitigation" : { "value" : "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.", "lang" : "en:us" }, "csaw" : false }