Public Date:
1588855: CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logs
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Find out more about CVE-2018-10855 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 5.9
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
CloudForms Management Engine 5.9 (ansible) RHSA-2018:2184 2018-07-12
Red Hat Ansible Engine 2.5 for RHEL 7 (ansible) RHSA-2018:1949 2018-06-19
Red Hat OpenStack Platform 10 (ansible) RHSA-2019:0054 2019-01-16
Red Hat Virtualization 4 Management Agent for RHEL 7 Hosts RHSA-2018:2079 2018-06-28
Red Hat OpenStack Platform 12.0 (ansible) RHBA-2018:3788 2018-12-05
Red Hat Ansible Engine 2 for RHEL 7 (ansible) RHSA-2018:1948 2018-06-19
Red Hat Ansible Engine 2.4 for RHEL 7 Server (ansible) RHSA-2018:2022 2018-06-26
Red Hat OpenStack Platform 13.0 (Queens) (ansible) RHSA-2018:2585 2018-08-29
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.


Red Hat would like to thank Tobias Henkel (BMW Car IT GmbH) for reporting this issue.

External References

Last Modified