Debian 11: DLA-3963-1 moderate: Ansible sensitive data threat
debian lts
November 24, 2024
Ansible is a command-line IT automation software application
Summary
Ansible was affected by two vulnerabilities:
CVE-2024-8775
A flaw was found in Ansible, where sensitive information stored in
Ansible Vault files can be exposed in plaintext during the execution
of a playbook. This occurs when using tasks such as include_vars to
load vaulted variables without setting the no_log: true parameter,
resulting in sensitive data being printed in the playbook output or
logs. This can lead to the unintentional disclosure of secrets like
passwords or API keys, compromising security and potentially
allowing unauthorized access or actions.
CVE-2024-9902
The ansible-core `user` module can allow an unprivileged user to
silently create or replace the contents of any file on any system path
and take ownership of it when a privileged user executes
the `user` module against the unprivileged user's home directory.
If the unprivileged user has traversal permissions on the directory
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: ansible
Version: 2.10.7+merged+base+2.10.17+dfsg-0+deb11u2
CVE ID: CVE-2024-8775 CVE-2024-9902
Debian Bug: 1082851
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!