CVE-2024-0690 – ansible-core

Package

Manager: pip
Name: ansible-core
Vulnerable Version: >=0 <2.14.14 || >=2.16.0 <2.16.3 || >=2.15.0 <2.15.9

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00054 pctl0.16904

Details

Ansible-core information disclosure flaw An information disclosure flaw was found in ansible-core due to a failure to respect the `ANSIBLE_NO_LOG` configuration in some scenarios. It was discovered that information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

Metadata

Created: 2024-02-06T12:30:31Z
Modified: 2025-01-17T21:31:38Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-h24r-m9qc-pvpg/GHSA-h24r-m9qc-pvpg.json
CWE IDs: ["CWE-116", "CWE-117"]
Alternative ID: GHSA-h24r-m9qc-pvpg
Finding: F091
Auto approve: 1