CVE-2024-8775

Summary

A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions.

Affected Software

VendorProductVersion RangeStatus
1.0.0 <= 2.17.4affected
Red HatAnsible Automation Platform Execution Environments3.0.1-96 < *unaffected
Red HatAnsible Automation Platform Execution Environments3.0.1-95 < *unaffected
Red HatAnsible Automation Platform Execution Environments2.9.27-32 < *unaffected
Red HatAnsible Automation Platform Execution Environments2.14.13-21 < *unaffected
Red HatAnsible Automation Platform Execution Environments2.17.6-2 < *unaffected
Red HatDiscovery 1 for RHEL 91.12.0-1 < *unaffected
Red HatDiscovery 1 for RHEL 91.12.0-1 < *unaffected
Red HatRed Hat Ansible Automation Platform 2.4 for RHEL 81:2.15.13-1.el8ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.4 for RHEL 91:2.15.13-1.el9ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 81:2.16.13-1.el8ap < *unaffected
Red HatRed Hat Ansible Automation Platform 2.5 for RHEL 91:2.16.13-1.el9ap < *unaffected

Weaknesses

  • CWE-532: Insertion of Sensitive Information into Log File

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

CVE Program Container

Additional References

References