CVE-2018-10855
information disclosure vulnerability in ansible (PyPI)
What is CVE-2018-10855 About?
This information disclosure vulnerability in Ansible versions prior to 2.5.5 and 2.4.5 exposes sensitive data. The `no_log` task flag is not honored for failed tasks, causing protected data to be logged or displayed. This allows unauthorized users to view sensitive information and is relatively easy to exploit by running tasks that fail.
Affected Software
- ansible
- >=2.4.0.0, <2.4.5.0
- >=2.5.0a1, <2.5.5
- >=2.5, <2.5.5
Technical Details
Ansible versions 2.5 prior to 2.5.5 and 2.4 prior to 2.4.5 suffer from an information disclosure vulnerability concerning the no_log task flag. When a task is configured with no_log to prevent sensitive data from being logged or displayed, this protection mechanism fails if the task itself does not execute successfully. In the event of a task failure, Ansible will expose the sensitive data in the log files and on the terminal of the user executing Ansible, bypassing the intended no_log directive. This allows anyone with access to these logs or the terminal session to view the protected sensitive information.
What is the Impact of CVE-2018-10855?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, including credentials, API keys, or other confidential data, leading to further system compromise.
What is the Exploitability of CVE-2018-10855?
Exploitation of this vulnerability is of low complexity. It primarily requires running an Ansible task that is configured with the no_log flag for sensitive data, but which is designed to fail (or fails for any reason). No specific authentication is required to exploit the flaw once the data is exposed, but the attacker needs local access to the log files or the terminal output of the Ansible run. This is typically a local access vulnerability in terms of retrieval of the exposed data. The main risk factor lies in Ansible deployments that frequently run tasks containing sensitive data that may fail, especially in environments where logs or terminal output are inadequately secured or shared.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-10855?
Available Upgrade Options
- ansible
- >=2.4.0.0, <2.4.5.0 → Upgrade to 2.4.5.0
- ansible
- >=2.5, <2.5.5 → Upgrade to 2.5.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2018:2079
- https://access.redhat.com/errata/RHSA-2018:1948
- https://access.redhat.com/errata/RHSA-2018:1949
- https://access.redhat.com/errata/RHSA-2018:2184
- https://access.redhat.com/errata/RHSA-2018:2585
- https://github.com/ansible/ansible
- https://www.debian.org/security/2019/dsa-4396
- https://access.redhat.com/errata/RHSA-2018:2022
- https://access.redhat.com/errata/RHSA-2018:2079
- https://usn.ubuntu.com/4072-1/
What are Similar Vulnerabilities to CVE-2018-10855?
Similar Vulnerabilities: CVE-2019-14858 , PYSEC-2019-74 , CVE-2020-1739 , CVE-2020-14332 , CVE-2021-3620
