CVE-2018-10855

NameCVE-2018-10855
DescriptionAnsible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
NVD severitymedium (attack range: remote)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ansible (PTS)jessie1.7.2+dfsg-2fixed
jessie (security)1.7.2+dfsg-2+deb8u1fixed
stretch2.2.1.0-2vulnerable
buster, sid2.7.1+dfsg-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ansiblesource(unstable)2.5.5+dfsg-1low
ansiblesourcejessie(not affected)

Notes

[jessie] - ansible <not-affected> (vulnerable code not present)
https://github.com/ansible/ansible/pull/41414
https://bugzilla.redhat.com/show_bug.cgi?id=1588855

Search for package or bug name: Reporting problems