CVE-2024-0690

Summary

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

Affected Software

VendorProductVersion RangeStatus
2.14.0 < 2.14.4affected
2.15.0 < 2.15.9affected
2.16.0 < 2.16.3affected
Red HatRed Hat Ansible Automation Platform 2.4 for RHEL 81:2.15.9-1.el8ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.4 for RHEL 91:2.15.9-1.el9ap < *unaffected
Red HatRed Hat Enterprise Linux 80:2.16.3-2.el8 < *unaffected
Red HatRed Hat Enterprise Linux 91:2.14.14-1.el9 < *unaffected

Weaknesses

  • CWE-117: Improper Output Neutralization for Logs

Workarounds

Explicitly setting 'no_log' within the playbook will prevent the output from containing potentially sensitive information.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References