CVE-2018-10855

Current Description

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Basic Data

PublishedJuly 03, 2018
Last ModifiedMay 29, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-532
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:M/Au:N/C:P/I:N/A:N
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityMEDIUM
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactPARTIAL
CVSS 2 - Availability ImpactNONE
CVSS 2 - Base Score4.3
SeverityMEDIUM
Exploitability Score8.6
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatAnsible Engine2.0*******
    2.3ApplicationRedhatAnsible Engine********2.42.4.5
    2.3ApplicationRedhatAnsible Engine********2.5.52.5
    2.3ApplicationRedhatCloudforms4.6*******
    2.3ApplicationRedhatOpenstack13.0*******
    2.3ApplicationRedhatVirtualization4.0*******
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSDebianDebian Linux9.0*******
  • OR - Configuration 3
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatOpenstack10*******
    2.3ApplicationRedhatOpenstack12*******
  • OR - Configuration 4
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSCanonicalUbuntu Linux18.04***lts***
    2.3OSCanonicalUbuntu Linux19.04*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 9.0
Redhat Openstack 10, 12, 13.0
Redhat Cloudforms 4.6
Redhat Ansible Engine *, 2.0
Redhat Virtualization 4.0
Canonical Ubuntu Linux 16.04, 18.04, 19.04

References

NameSourceURLTags
RHBA-2018:3788https://access.redhat.com/errata/RHBA-2018:3788REDHATVendor Advisory
RHSA-2018:1948https://access.redhat.com/errata/RHSA-2018:1948REDHATVendor Advisory
RHSA-2018:1949https://access.redhat.com/errata/RHSA-2018:1949REDHATVendor Advisory
RHSA-2018:2022https://access.redhat.com/errata/RHSA-2018:2022REDHATVendor Advisory
RHSA-2018:2079https://access.redhat.com/errata/RHSA-2018:2079REDHATVendor Advisory
RHSA-2018:2184https://access.redhat.com/errata/RHSA-2018:2184REDHATVendor Advisory
RHSA-2018:2585https://access.redhat.com/errata/RHSA-2018:2585REDHATVendor Advisory
RHSA-2019:0054https://access.redhat.com/errata/RHSA-2019:0054REDHATVendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855CONFIRMIssue Tracking Vendor Advisory
USN-4072-1https://usn.ubuntu.com/4072-1/UBUNTUThird Party Advisory
DSA-4396https://www.debian.org/security/2019/dsa-4396DEBIANThird Party Advisory