PYSEC-2019-74
information disclosure vulnerability in ansible (PyPI)
What is PYSEC-2019-74 About?
This information disclosure vulnerability in Ansible Engine versions up to 2.8.5, 2.7.13, and 2.6.19 leads to credentials disclosure. Logging at the DEBUG level can expose credentials if a plugin uses a library that logs them at this level. This affects Ansible Engine, but not modules, and allows an attacker observing log files to access sensitive data.
Affected Software
Technical Details
The vulnerability in Ansible Engine (versions up to 2.8.5, 2.7.13, and 2.6.19) is an information disclosure issue related to verbose logging. Specifically, when Ansible Engine is configured to log at the DEBUG level, it can expose credentials. This occurs if a plugin utilized by Ansible Engine internally uses a third-party library that itself logs sensitive information, such as credentials, at the DEBUG level. Because Ansible Engine logs its own interactions and plugin outputs at the DEBUG level, these inadvertently recorded credentials become visible in the Ansible logs, enabling unauthorized access to this sensitive data. Importantly, this flaw does not affect Ansible modules, as they operate in separate processes where this logging interaction does not occur.
What is the Impact of PYSEC-2019-74?
Successful exploitation may allow attackers to gain unauthorized access to credentials, leading to account compromise, unauthorized system access, and potential further breaches.
What is the Exploitability of PYSEC-2019-74?
Exploitation of this vulnerability is of low complexity. It requires Ansible Engine to be configured to log at the DEBUG level, and a plugin to be in use that has an underlying library which logs credentials at the same level. No specific authentication is required to exploit the flaw once data is exposed, but the attacker needs local access to the Ansible log files. This is typically a local vulnerability in terms of data retrieval. The primary risk factor is the common practice of enabling DEBUG logging for troubleshooting, especially in production or sensitive environments where logs may not be adequately secured or rotated, thus exposing credentials to anyone with log file access.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for PYSEC-2019-74?
Available Upgrade Options
- ansible
- <2.6.20 → Upgrade to 2.6.20
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html
- https://access.redhat.com/errata/RHSA-2020:0756
- https://osv.dev/vulnerability/PYSEC-2019-74
- https://lists.debian.org/debian-lts-announce/2021/01/msg00023.html
- https://access.redhat.com/errata/RHSA-2019:3202
- http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html
- https://github.com/ansible/ansible/pull/63366
- https://access.redhat.com/errata/RHSA-2019:3207
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14846
- https://access.redhat.com/errata/RHSA-2019:3201
What are Similar Vulnerabilities to PYSEC-2019-74?
Similar Vulnerabilities: CVE-2018-10855 , CVE-2019-14858 , CVE-2020-1739 , CVE-2020-14332 , CVE-2021-3620
