Vulnerability Details : CVE-2019-10206
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
Products affected by CVE-2019-10206
- cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*
- cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2019-10206
0.27%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 67 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-10206
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
4.0
|
MEDIUM | AV:N/AC:L/Au:S/C:P/I:N/A:N |
8.0
|
2.9
|
NIST | |
6.4
|
MEDIUM | CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N |
1.2
|
5.2
|
Red Hat, Inc. | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
2.8
|
3.6
|
NIST |
CWE ids for CVE-2019-10206
-
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2019-10206
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
[security-announce] openSUSE-SU-2020:0513-1: moderate: Security update fMailing List;Third Party Advisory
-
https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
[SECURITY] [DLA 3695-1] ansible security update
-
https://www.debian.org/security/2021/dsa-4950
Debian -- Security Information -- DSA-4950-1 ansibleThird Party Advisory
-
http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
[security-announce] openSUSE-SU-2020:0523-1: moderate: Security update fMailing List;Third Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206
1732623 – (CVE-2019-10206) CVE-2019-10206 Ansible: disclosure data when prompted for password and template characters are passedIssue Tracking;Vendor Advisory
Jump to