Ansible discloses sensitive information in traceback error message
Moderate severity
GitHub Reviewed
Published
Mar 4, 2022
to the GitHub Advisory Database
•
Updated Sep 9, 2024
Description
Published by the National Vulnerability Database
Mar 3, 2022
Published to the GitHub Advisory Database
Mar 4, 2022
Reviewed
Mar 24, 2022
Last updated
Sep 9, 2024
Ansible is an IT automation system that handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. A flaw was found in Ansible Engine's ansible-connection module where sensitive information, such as the Ansible user credentials, is disclosed by default in the traceback error message when Ansible receives an unexpected response from
set_options
. The highest threat from this vulnerability is confidentiality.References