CVE-2020-14332
confidentiality vulnerability in ansible (PyPI)
What is CVE-2020-14332 About?
A confidentiality flaw in Ansible Engine's check mode exposes sensitive data. When tasks with the `module_args` parameter are executed in check mode, sensitive information is not properly neutralized in event data, allowing unauthorized users to read it. This vulnerability is specific to check mode execution and can be easily exploited by accessing exposed event data.
Affected Software
- ansible
- >=2.10.0a1, <2.10.1rc2
- <2.8.14
- >=2.8.0, <2.8.14
- >=2.9.0a1, <2.9.12
Technical Details
The vulnerability exists in Ansible Engine when using the module_args parameter, specifically during tasks executed with --check-mode. When a task is configured to use module_args, any sensitive data within these arguments is intended to be protected. However, if such a task is run in --check-mode, Ansible fails to properly neutralize or redact this sensitive data within the generated event data. Consequently, unauthorized users with access to this event data, such as log files or the Ansible output, can read the exposed sensitive information, leading to a breach of confidentiality.
What is the Impact of CVE-2020-14332?
Successful exploitation may allow attackers to gain unauthorized access to sensitive information, leading to data exfiltration, compromise of credentials, or further attacks.
What is the Exploitability of CVE-2020-14332?
Exploitation of this flaw is of low complexity. It requires access to the event data generated by Ansible Engine, which could be in log files or standard output. No specific authentication is required to exploit the flaw once the data is exposed, but access to the system running Ansible or the logs is necessary. Local access to log files or access to the terminal output of an Ansible run is typically sufficient. There are no special conditions beyond running a task with module_args in check mode. The risk increases if Ansible logs are accessible to unauthorized users or if verbose output is frequently used in shared environments.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2020-14332?
Available Upgrade Options
- ansible
- >=2.8.0, <2.8.14 → Upgrade to 2.8.14
- ansible
- >=2.9.0a1, <2.9.12 → Upgrade to 2.9.12
- ansible
- >=2.10.0a1, <2.10.1rc2 → Upgrade to 2.10.1rc2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332
- https://github.com/ansible/ansible/commit/291f94934c8c49eef85e6539087f2dfcd001fe4f
- https://www.debian.org/security/2021/dsa-4950
- https://github.com/ansible/ansible/commit/714cd2ad2eff7f003d728414afcb91591fad5d9a
- https://github.com/ansible/ansible/blob/stable-2.9/changelogs/CHANGELOG-v2.9.rst#security-fixes-6
- https://github.com/ansible/ansible/pull/71033
- https://nvd.nist.gov/vuln/detail/CVE-2020-14332
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332
- https://github.com/ansible/ansible
What are Similar Vulnerabilities to CVE-2020-14332?
Similar Vulnerabilities: CVE-2018-10855 , CVE-2019-14858 , PYSEC-2019-74 , CVE-2020-1739 , CVE-2021-3620
