Detections
Analytics
NewStart CGSL MAIN 7.02 : ansible-core Multiple Vulnerabilities (NS-SA-2025-0114)
high Nessus Plugin ID 242815
Synopsis
The remote NewStart CGSL host is affected by multiple vulnerabilities.Description
The remote NewStart CGSL host, running version MAIN 7.02, has ansible-core packages installed that are affected by multiple vulnerabilities:- An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values. (CVE-2024-0690)
- A flaw was found in Ansible-Core. This vulnerability allows attackers to bypass unsafe content protections using the hostvars object to reference and execute templated content. This issue can lead to arbitrary code execution if remote data or module outputs are improperly templated within playbooks.
(CVE-2024-11079)
- A flaw was found in Ansible, where sensitive information stored in Ansible Vault files can be exposed in plaintext during the execution of a playbook. This occurs when using tasks such as include_vars to load vaulted variables without setting the no_log: true parameter, resulting in sensitive data being printed in the playbook output or logs. This can lead to the unintentional disclosure of secrets like passwords or API keys, compromising security and potentially allowing unauthorized access or actions. (CVE-2024-8775)
- A flaw was found in Ansible. The ansible-core `user` module can allow an unprivileged user to silently create or replace the contents of any file on any system path and take ownership of it when a privileged user executes the `user` module against the unprivileged user's home directory. If the unprivileged user has traversal permissions on the directory containing the exploited target file, they retain full control over the contents of the file as its owner. (CVE-2024-9902)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the vulnerable CGSL ansible-core packages. Note that updated packages may not be available yet. Please contact ZTE for more information.See Also
https://security.gd-linux.com/notice/NS-SA-2025-0114
https://security.gd-linux.com/info/CVE-2024-0690
https://security.gd-linux.com/info/CVE-2024-11079
Plugin Details
Severity: High
ID: 242815
File Name: newstart_cgsl_NS-SA-2025-0114_ansible-core.nasl
Version: 1.1
Type: local
Published: 7/25/2025
Updated: 7/25/2025
Supported Sensors: Nessus
Risk Information
VPR
Risk Factor: Medium
Score: 5.5
CVSS v2
Risk Factor: Medium
Base Score: 4.6
Temporal Score: 3.4
Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N
CVSS Score Source: CVE-2024-0690
CVSS v3
Risk Factor: Medium
Base Score: 5.5
Temporal Score: 4.8
Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
CVSS v4
Risk Factor: High
Base Score: 7.1
Threat Score: 4.9
Threat Vector: CVSS:4.0/E:U
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score Source: CVE-2024-8775
Vulnerability Information
CPE: cpe:/o:zte:cgsl_main:7, p-cpe:/a:zte:cgsl_main:ansible-core
Required KB Items: Host/local_checks_enabled, Host/ZTE-CGSL/release, Host/ZTE-CGSL/rpm-list, Host/cpu
Exploit Ease: No known exploits are available
Patch Publication Date: 7/25/2025
Vulnerability Publication Date: 1/19/2024
Reference Information
CVE: CVE-2024-0690, CVE-2024-11079, CVE-2024-8775, CVE-2024-9902