CVE-2018-10855
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2018-10855.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2018-10855
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | sid | fixed | 2.5.5+dfsg-1 |
| debian | forky | fixed | 2.5.5+dfsg-1 |
| debian | bullseye | fixed | 2.5.5+dfsg-1 |
| debian | bookworm | fixed | 2.5.5+dfsg-1 |
| debian | trixie | fixed | 2.5.5+dfsg-1 |
| sles | affected | |
References
- https://security-tracker.debian.org/tracker/CVE-2018-10855
- https://nvd.nist.gov/vuln/detail/CVE-2018-10855
- https://access.redhat.com/errata/RHBA-2018:3788
- https://access.redhat.com/errata/RHSA-2018:1948
- https://access.redhat.com/errata/RHSA-2018:1949
- https://access.redhat.com/errata/RHSA-2018:2022
- https://access.redhat.com/errata/RHSA-2018:2079
- https://access.redhat.com/errata/RHSA-2018:2184
- https://access.redhat.com/errata/RHSA-2018:2585
- https://access.redhat.com/errata/RHSA-2019:0054
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855
- https://github.com/advisories/GHSA-jwcc-j78w-j73w
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2018-42.yaml
- https://usn.ubuntu.com/4072-1
- https://www.debian.org/security/2019/dsa-4396
- https://www.suse.com/security/cve/CVE-2018-10855.html
- https://usn.ubuntu.com/4072-1/
Verify integrity in audit chain (admin only). AS-IS.