CVE-2018-16876
information disclosure vulnerability in ansible (PyPI)
What is CVE-2018-16876 About?
Ansible versions prior to 2.5.14, 2.6.11, and 2.7.5 are vulnerable to an information disclosure flaw when using `vvv+` mode with `no_log` enabled. This configuration can lead to the unintended leakage of sensitive data. Exploitation is dependent on the logging configuration.
Affected Software
- ansible
- >=2.7.0a1, <2.7.5
- >=2.5.0, <2.5.14
- <2.5.14
- >=2.6.0a1, <2.6.11
Technical Details
The vulnerability arises from a flaw in Ansible's logging mechanism when operating in verbose vvv+ mode concurrently with the no_log parameter being set. The no_log parameter is intended to prevent sensitive task output from being logged. However, in certain versions and with high verbosity (vvv+), not all sensitive data intended to be suppressed by no_log is properly handled. This can result in sensitive information, which should have been redacted, appearing in the Ansible logs or output, leading to an information disclosure event.
What is the Impact of CVE-2018-16876?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information that should have been protected, leading to data breaches or further compromise.
What is the Exploitability of CVE-2018-16876?
Exploitation of this vulnerability has a moderate complexity. It requires the specific operational conditions of Ansible running in vvv+ verbose mode concurrently with a task or play having no_log: true set. An attacker would need access to the Ansible logs or the output of the Ansible execution to observe the leaked data. This is typically a local exploitation scenario, where an attacker has access to the system running Ansible and its logs, or potentially a remote one if logs are exposed. No specific authentication to Ansible as a user is required, but access to the managed system's logs or the Ansible control machine's output is. The likelihood of exploitation increases in environments where verbose logging and no_log are commonly used without careful review of actual output.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-16876?
Available Upgrade Options
- ansible
- <2.5.14 → Upgrade to 2.5.14
- ansible
- >=2.6.0a1, <2.6.11 → Upgrade to 2.6.11
- ansible
- >=2.7.0a1, <2.7.5 → Upgrade to 2.7.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://access.redhat.com/errata/RHSA-2019:0564
- https://nvd.nist.gov/vuln/detail/CVE-2018-16876
- https://access.redhat.com/errata/RHSA-2018:3835
- https://osv.dev/vulnerability/GHSA-j569-fghw-f9rx
- http://www.securityfocus.com/bid/106225
- https://web.archive.org/web/20200227100904/http://www.securityfocus.com/bid/106225
- https://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-141.yaml
- https://github.com/ansible/ansible
- https://access.redhat.com/errata/RHSA-2018:3837
- https://www.debian.org/security/2019/dsa-4396
What are Similar Vulnerabilities to CVE-2018-16876?
Similar Vulnerabilities: CVE-2023-47926 , CVE-2023-47864 , CVE-2023-47863 , CVE-2023-47631 , CVE-2023-45524
