CVE-2017-7473

Impact:
Moderate
Public Date:
2017-04-11
CWE:
CWE-212
Bugzilla:
1440912: CVE-2017-7473 ansible: Potential information disclosure via no_log directive
Ansible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive (information may not be sanitized properly).

Find out more about CVE-2017-7473 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Red Hat OpenStack Platform will no longer be updating the Ansible package in:
* Red Hat OpenStack Platform 10 (Newton)
* Red Hat OpenStack Platform 11 (Ocata)

As of Red Hat Enterprise Linux 7.4, customers can consume an updated Ansible package directly from the extras-rhel-7.4 channel. For more information, refer to Red Hat Enterprise Linux release information.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 4.7
CVSS3 Base Metrics CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Affected Packages State

Platform Package State
Red Hat Storage Console 2 ansible Will not fix
Red Hat OpenStack Platform 11.0 (Ocata) ansible Will not fix
Red Hat OpenStack Platform 10 ansible Will not fix
Red Hat OpenShift Enterprise 3 ansible Will not fix
Red Hat Gluster Storage 3 ansible Will not fix
Red Hat Enterprise Linux 7 ansible Will not fix

Acknowledgements

This issue was discovered by David Moreau Simard (Red Hat).

Last Modified
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.