CVE-2019-10206
unknown
CVSS v3
—
CVSS v2
—
VIR risk
—
Description
ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.
Predictions
Exploit likelihood
30%
Patch ETA
—
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2019-10206.html
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2019-10206
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| debian | sid | fixed | 2.8.6+dfsg-1 |
| debian | forky | fixed | 2.8.6+dfsg-1 |
| debian | trixie | fixed | 2.8.6+dfsg-1 |
| debian | bookworm | fixed | 2.8.6+dfsg-1 |
| debian | bullseye | fixed | 2.8.6+dfsg-1 |
| sles | affected | |
References
- https://security-tracker.debian.org/tracker/CVE-2019-10206
- https://nvd.nist.gov/vuln/detail/CVE-2019-10206
- https://github.com/ansible/ansible/commit/4b5aed4e5af4c7aab621662f50a289e99b8ac393
- https://github.com/ansible/ansible/commit/d39488ece44956f6a169a498b067bbef54552be1
- https://github.com/ansible/ansible/commit/d728127310b4f3a40ce8b9df3affb88ffaeea073
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206
- https://github.com/ansible/ansible
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-145.yaml
- https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html
- https://www.debian.org/security/2021/dsa-4950
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://www.suse.com/security/cve/CVE-2019-10206.html
Verify integrity in audit chain (admin only). AS-IS.