Vulnerability Details : CVE-2018-10855
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Products affected by CVE-2018-10855
- cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:cloudforms:4.6:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:10:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:12:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:openstack:13:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible_engine:2.0:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2018-10855
0.35%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 69 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2018-10855
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST | |
|
5.9
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
Red Hat, Inc. | |
|
5.9
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
2.2
|
3.6
|
NIST |
CWE ids for CVE-2018-10855
-
The product writes sensitive information to a log file.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2018-10855
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855
1588855 – (CVE-2018-10855) CVE-2018-10855 ansible: Failed tasks do not honour no_log option allowing for secrets to be disclosed in logsIssue Tracking;Vendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2079
RHSA-2018:2079 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:1948
RHSA-2018:1948 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:1949
RHSA-2018:1949 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://usn.ubuntu.com/4072-1/
USN-4072-1: Ansible vulnerabilities | Ubuntu security noticesThird Party Advisory
-
https://access.redhat.com/errata/RHBA-2018:3788
RHBA-2018:3788 - Bug Fix Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2585
RHSA-2018:2585 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2022
RHSA-2018:2022 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2019:0054
RHSA-2019:0054 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://access.redhat.com/errata/RHSA-2018:2184
RHSA-2018:2184 - Security Advisory - Red Hat Customer PortalVendor Advisory
-
https://www.debian.org/security/2019/dsa-4396
Debian -- Security Information -- DSA-4396-1 ansibleThird Party Advisory
Jump to