Information Exposure Affecting ansible package, versions [,2.6.20)[2.7.0,2.7.14)[2.8.0,2.8.6)


Severity

Recommended
0.0
medium
0
10

CVSS assessment made by Snyk's Security Team. Learn more

Threat Intelligence

EPSS
0.08% (36th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-PYTHON-ANSIBLE-1571824
  • published30 Aug 2021
  • disclosed14 Oct 2019
  • creditSam Doran

Introduced: 14 Oct 2019

CVE-2019-14858  (opens in a new tab)
CWE-200  (opens in a new tab)

How to fix?

Upgrade ansible to version 2.6.20, 2.7.14, 2.8.6 or higher.

Overview

ansible is a simple IT automation system.

Affected versions of this package are vulnerable to Information Exposure. When a module has an argument_spec with sub parameters marked as no_log, passing an invalid parameter to the module will cause the task to fail before the no_log configuration is processed, which may lead to the data being displayed.

CVSS Scores

version 3.1