CVE-2018-10855

moderate-risk

Published 2018-07-03

Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.

Do I need to act?

3.4% chance of exploitation in next 30 days

EPSS score — moderate exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.9/10 Medium

NETWORK / HIGH complexity

Affected Products (11)

Ansible Engine

Cloudforms

Openstack

Virtualization

Debian Linux

Openstack

Ubuntu Linux

Affected Vendors

Debian Redhat Canonical

References (22)

Vendor Advisory https://access.redhat.com/errata/RHBA-2018:3788

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1948

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:1949

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:2022

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:2079

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:2184

Vendor Advisory https://access.redhat.com/errata/RHSA-2018:2585

Vendor Advisory https://access.redhat.com/errata/RHSA-2019:0054

Issue Tracking https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-10855

Third Party Advisory https://usn.ubuntu.com/4072-1/

Third Party Advisory https://www.debian.org/security/2019/dsa-4396