CVE-2018-10855

high

Description

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

References

Advisories
More

https://www.debian.org/security/2019/dsa-4396

https://usn.ubuntu.com/4072-1/

https://access.redhat.com/errata/RHSA-2019:0054

https://access.redhat.com/errata/RHSA-2018:2585

https://access.redhat.com/errata/RHSA-2018:2184

https://access.redhat.com/errata/RHSA-2018:2079

https://access.redhat.com/errata/RHSA-2018:2022

https://access.redhat.com/errata/RHSA-2018:1949

https://access.redhat.com/errata/RHSA-2018:1948

https://access.redhat.com/errata/RHBA-2018:3788

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855

Details

Source: Mitre, NVD

Published: 2018-07-03

Updated: 2024-11-21

Risk Information

CVSS v2

Base Score: 4.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 5.9

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Severity: Medium

CVSS v4

Base Score: 8.2

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Severity: High

EPSS

EPSS: 0.02015