CVE-2024-0690 - OpenCVE

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Redhat	Enterprise Linux Ansible Developer Ansible Automation Platform Ansible Inside Ansible
Fedoraproject	Fedora

Configuration 1 [-]

OR	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:a:redhat:ansible::::::::
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 2 [-]

AND

OR	cpe:2.3:a:redhat:ansible_automation_platform:2.4:::::::*
	cpe:2.3:a:redhat:ansible_developer:1.1:::::::*
	cpe:2.3:a:redhat:ansible_inside:1.2:::::::*

OR	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*

Configuration 3 [-]

OR	cpe:2.3:o:fedoraproject:fedora:38:::::::*
	cpe:2.3:o:fedoraproject:fedora:39:::::::*

References

Link	Resource
https://access.redhat.com/errata/RHSA-2024:0733	Vendor Advisory
https://access.redhat.com/errata/RHSA-2024:2246
https://access.redhat.com/errata/RHSA-2024:3043
https://access.redhat.com/security/cve/CVE-2024-0690	Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2259013	Issue Tracking
https://github.com/ansible/ansible/pull/82565	Issue Tracking Patch

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: redhat

Published: 2024-02-06T12:00:28.505Z

Updated: 2024-07-05T17:21:35.753Z

Reserved: 2024-01-18T16:03:22.626Z

Link: CVE-2024-0690

JSON object: View

NVD Information

Status : Modified

Published: 2024-02-06T12:15:55.530

Modified: 2024-05-22T17:16:11.487

Link: CVE-2024-0690

JSON object: View

Redhat Information

No data.

CWE

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-0690", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2024-01-18T16:03:22.626Z", "datePublished": "2024-02-06T12:00:28.505Z", "dateUpdated": "2024-07-05T17:21:35.753Z"}, "containers": {"cna": {"title": "Ansible-core: possible information leak in tasks that ignore ansible_no_log configuration", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values."}], "affected": [{"versions": [{"status": "affected", "version": "2.14.0", "lessThan": "2.14.4", "versionType": "semver"}, {"status": "affected", "version": "2.15.0", "lessThan": "2.15.9", "versionType": "semver"}, {"status": "affected", "version": "2.16.0", "lessThan": "2.16.3", "versionType": "semver"}], "packageName": "ansible", "collectionURL": "https://www.ansible.com/", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-core", "defaultStatus": "affected", "versions": [{"version": "1:2.15.9-1.el8ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8", "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Ansible Automation Platform 2.4 for RHEL 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-core", "defaultStatus": "affected", "versions": [{"version": "1:2.15.9-1.el9ap", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:ansible_automation_platform_developer:2.4::el8", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el8", "cpe:/a:redhat:ansible_automation_platform:2.4::el9", "cpe:/a:redhat:ansible_automation_platform_inside:2.4::el9", "cpe:/a:redhat:ansible_automation_platform_developer:2.4::el9", "cpe:/a:redhat:ansible_automation_platform:2.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-core", "defaultStatus": "affected", "versions": [{"version": "0:2.16.3-2.el8", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "ansible-core", "defaultStatus": "affected", "versions": [{"version": "1:2.14.14-1.el9", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::appstream"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2024:0733", "name": "RHSA-2024:0733", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:2246", "name": "RHSA-2024:2246", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:3043", "name": "RHSA-2024:3043", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2024-0690", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259013", "name": "RHBZ#2259013", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://github.com/ansible/ansible/pull/82565"}], "datePublic": "2024-01-18T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-117", "description": "Improper Output Neutralization for Logs", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-117: Improper Output Neutralization for Logs", "workarounds": [{"lang": "en", "value": "Explicitly setting 'no_log' within the playbook will prevent the output from containing potentially sensitive information."}], "timeline": [{"lang": "en", "time": "2024-01-18T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2024-01-18T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-05-29T23:26:36.215Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-0690", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-02-06T18:30:30.103500Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-05T17:21:35.753Z"}}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "645218EF-62EC-4EA5-B196-6C52CC6BF0C6", "versionEndExcluding": "2.14.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "B80D311E-FA64-4A61-BC42-441B56D3A019", "versionEndExcluding": "2.15.9", "versionStartIncluding": "2.15.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "DA1B5190-DFC2-4C0F-B190-515D768BB3CD", "versionEndExcluding": "2.16.3", "versionStartIncluding": "2.16.0", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_automation_platform:2.4:*:*:*:*:*:*:*", "matchCriteriaId": "05986E3C-7E5B-45C1-81B0-9D856A8FF1CC", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_developer:1.1:*:*:*:*:*:*:*", "matchCriteriaId": "CEE40363-D286-4EB7-80D2-17CF3B606AD6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible_inside:1.2:*:*:*:*:*:*:*", "matchCriteriaId": "897AB7AC-52B1-4335-97D5-D5EA2FF09CC6", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": false}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de divulgaci\u00f3n de informaci\u00f3n en ansible-core debido a que no se respet\u00f3 la configuraci\u00f3n de ANSIBLE_NO_LOG en algunos escenarios. Se descubri\u00f3 que la informaci\u00f3n todav\u00eda se incluye en la salida de determinadas tareas, como los elementos del bucle. Dependiendo de la tarea, este problema puede incluir informaci\u00f3n confidencial, como valores secretos descifrados."}], "id": "CVE-2024-0690", "lastModified": "2024-05-22T17:16:11.487", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.0, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 3.6, "source": "secalert@redhat.com", "type": "Secondary"}]}, "published": "2024-02-06T12:15:55.530", "references": [{"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0733"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:2246"}, {"source": "secalert@redhat.com", "url": "https://access.redhat.com/errata/RHSA-2024:3043"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2024-0690"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2259013"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/ansible/ansible/pull/82565"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-116"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-117"}], "source": "secalert@redhat.com", "type": "Secondary"}]}