Vulnerability CVE-2019-10206

Vulnerability Name:

CVE-2019-10206 (CCN-172428)

Assigned:

2019-11-07

Published:

2019-11-07

Updated:

2022-11-07

Summary:

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

CVSS v3 Severity:

6.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
5.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

6.4 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N)
5.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): None

CVSS v2 Severity:

4.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

6.6 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:N)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): None

Vulnerability Type:

CWE-522

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2019-10206

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0513

Source: SUSE
Type: Mailing List, Third Party Advisory
openSUSE-SU-2020:0523

Source: CCN
Type: Red Hat Bugzilla - Bug 1732623
CVE-2019-10206 Ansible: disclosure data when prompted for password and template characters are passed

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206

Source: XF
Type: UNKNOWN
ansible-cve201910206-info-disc(172428)

Source: DEBIAN
Type: Third Party Advisory
DSA-4950

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2019-10206

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:ansible:*:*:*:*:*:*:*:* (Version >= 2.6.0 and < 2.6.19)

OR cpe:/a:redhat:ansible:*:*:*:*:*:*:*:* (Version >= 2.7.0 and < 2.7.13)

OR cpe:/a:redhat:ansible:*:*:*:*:*:*:*:* (Version >= 2.8.0 and < 2.8.4)

Configuration 2:

cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:opensuse:leap:15.1:*:*:*:*:*:*:*

OR cpe:/a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:redhat:ansible:2.8.3:*:*:*:*:*:*:*

OR cpe:/a:redhat:ansible:2.7.12:*:*:*:*:*:*:*

OR cpe:/a:redhat:ansible:2.6.18:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201910206	V	CVE-2019-10206	2022-06-30
oval:org.opensuse.security:def:111931	P	ansible-2.9.24-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:59878	P	Security update for apache2 (Important)	2022-01-12
oval:org.opensuse.security:def:34050	P	Security update for java-1_8_0-ibm (Important) (in QA)	2022-01-04
oval:org.opensuse.security:def:59578	P	Security update for glib-networking (Important)	2021-12-13
oval:org.opensuse.security:def:34011	P	Security update for MozillaFirefox (Important)	2021-12-12
oval:org.opensuse.security:def:64625	P	Security update for xen (Moderate)	2021-12-03
oval:org.opensuse.security:def:93587	P	(Moderate)	2021-12-03
oval:org.opensuse.security:def:60430	P	Security update for the Linux Kernel (Important)	2021-12-02
oval:org.opensuse.security:def:33747	P	Security update for xen (Moderate)	2021-12-01
oval:org.opensuse.security:def:74679	P	Security update for go1.16 (Moderate)	2021-12-01
oval:org.opensuse.security:def:59823	P	Security update for postgresql10 (Important)	2021-11-22
oval:org.opensuse.security:def:60389	P	Security update for strongswan (Important)	2021-10-19
oval:org.opensuse.security:def:105499	P	ansible-2.9.24-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:64567	P	Security update for gstreamer-plugins-good (Moderate)	2021-09-02
oval:org.opensuse.security:def:60340	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:33962	P	Security update for openssl-1_0_0 (Important)	2021-08-24
oval:org.opensuse.security:def:63313	P	389-ds-1.4.4.14~git0.37dc95673-1.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:63516	P	python2-waitress-1.4.3-3.3.1 on GA media (Moderate)	2021-08-10
oval:org.opensuse.security:def:62810	P	libraptor-devel-2.0.15-9.3.1 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62814	P	libsrtp-devel-1.6.0-2.19 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:63020	P	libgit2-28-0.28.4-1.28 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:62817	P	libthai0-32bit-0.1.27-1.16 on GA media (Moderate)	2021-08-09
oval:org.opensuse.security:def:64737	P	Security update for bluez (Moderate)	2021-07-22
oval:org.opensuse.security:def:60293	P	Security update for xterm (Important)	2021-06-18
oval:org.opensuse.security:def:100300	P	(Important)	2021-06-18
oval:org.opensuse.security:def:62842	P	apache-pdfbox-1.8.12-3.77 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:33904	P	Security update for avahi (Important)	2021-06-03
oval:org.opensuse.security:def:33659	P	Security update for libwebp (Critical)	2021-06-02
oval:org.opensuse.security:def:30070	P	Security update for samba (Important)	2021-04-29
oval:org.opensuse.security:def:29351	P	Security update for MozillaFirefox (Important)	2021-04-27
oval:org.opensuse.security:def:64465	P	Security update for tpm2-tss-engine (Moderate)	2021-04-08
oval:org.opensuse.security:def:29482	P	Security update for wpa_supplicant (Important)	2021-03-09
oval:org.opensuse.security:def:60471	P	Security update for openssl-1_0_0 (Moderate)	2021-03-08
oval:org.opensuse.security:def:59856	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:60456	P	Security update for tomcat (Moderate)	2021-02-19
oval:org.opensuse.security:def:30026	P	Security update for bind (Important)	2021-02-18
oval:org.opensuse.security:def:60300	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:30007	P	Security update for ImageMagick (Important)	2021-01-22
oval:org.opensuse.security:def:61058	P	Security update for openexr (Moderate)	2020-12-23
oval:org.opensuse.security:def:59207	P	Security update for shibboleth-sp (Moderate)	2020-12-01
oval:org.opensuse.security:def:60041	P	Security update for bash (Important)	2020-12-01
oval:org.opensuse.security:def:58966	P	Security update for the Linux Kernel (Live Patch 10 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60887	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:33602	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60808	P	Security update for gcc9 (Moderate)	2020-12-01
oval:org.opensuse.security:def:29919	P	Security update for libevent	2020-12-01
oval:org.opensuse.security:def:60761	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:58989	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:29864	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:60672	P	Security update for python-PyKMIP (Moderate)	2020-12-01
oval:org.opensuse.security:def:29269	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29711	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:60634	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:29626	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:60552	P	sysvinit-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:34797	P	Security update for ansible, python-straight-plugin (Moderate)	2020-12-01
oval:org.opensuse.security:def:59640	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:60548	P	supportutils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:30708	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:33371	P	Security update for compat-openssl097g	2020-12-01
oval:org.opensuse.security:def:60130	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:59206	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:59941	P	Security update for spice (Important)	2020-12-01
oval:org.opensuse.security:def:29968	P	Security update for libproxy	2020-12-01
oval:org.opensuse.security:def:60978	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:60858	P	Security update for rubygem-activejob-4_2 (Low)	2020-12-01
oval:org.opensuse.security:def:59229	P	Security update for libexif (Moderate)	2020-12-01
oval:org.opensuse.security:def:60767	P	Security update for pdns (Moderate)	2020-12-01
oval:org.opensuse.security:def:33279	P	vino on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60729	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:29268	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:60645	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:60626	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:60718	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:34757	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:59145	P	Security update for the Linux Kernel (Live Patch 29 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60600	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:34119	P	Security update for ncurses (Important)	2020-12-01
oval:org.opensuse.security:def:29280	P	Security update for xorg-x11-libX11 (Moderate)	2020-12-01
oval:org.opensuse.security:def:34075	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60111	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:74812	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:33506	P	Security update for openslp	2020-12-01
oval:org.opensuse.security:def:61028	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60177	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60937	P	Security update for galera-3, mariadb, mariadb-connector-c (Important)	2020-12-01
oval:org.opensuse.security:def:58967	P	Security update for the Linux Kernel (Live Patch 11 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:60899	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:33278	P	unzip on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:59693	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60815	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:60790	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-12-01
oval:org.opensuse.security:def:29569	P	Security update for SDL (Moderate)	2020-12-01
oval:org.opensuse.security:def:64358	P	liboath-devel on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60711	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:59387	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:64357	P	libnm0 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60598	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:33290	P	xen on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:64221	P	btrfsmaintenance on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60509	P	perl-XML-LibXML on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:63892	P	Security update for file (Moderate)	2020-12-01
oval:org.opensuse.security:def:63663	P	Security update for libssh2_org (Important)	2020-12-01
oval:org.opensuse.security:def:30745	P	Security update for ansible, python-straight-plugin (Moderate)	2020-12-01
oval:org.opensuse.security:def:59397	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:84056	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-11-12
oval:org.opensuse.security:def:84511	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-11-12
oval:org.opensuse.security:def:110474	P	Security update for ansible (Moderate)	2020-04-12
oval:com.ubuntu.bionic:def:2019102060000000	V	CVE-2019-10206 on Ubuntu 18.04 LTS (bionic) - medium.	2019-11-22
oval:com.ubuntu.xenial:def:2019102060000000	V	CVE-2019-10206 on Ubuntu 16.04 LTS (xenial) - medium.	2019-11-22
oval:com.ubuntu.disco:def:2019102060000000	V	CVE-2019-10206 on Ubuntu 19.04 (disco) - medium.	2019-11-22
oval:org.opensuse.security:def:84340	P	Security update for ansible (Moderate)	2019-09-03
oval:org.opensuse.security:def:83892	P	Security update for ansible (Moderate)	2019-09-03

BACK