Vulnerability CVE-2020-14330

Vulnerability Name:

CVE-2020-14330 (CCN-188183)

Assigned:

2020-09-10

Published:

2020-09-10

Updated:

2022-11-11

Summary:

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.8 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

5.0 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
4.4 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): None Availibility (A): None

CVSS v2 Severity:

2.1 Low (CVSS v2 Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): None Availibility (A): None

4.6 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:N/A:N)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): None Availibility (A): None

Vulnerability Type:

CWE-532

Vulnerability Consequences:

Obtain Information

References:

Source: MITRE
Type: CNA
CVE-2020-14330

Source: CCN
Type: Red Hat Bugzilla Bug 1856815
(CVE-2020-14330) - CVE-2020-14330 Ansible: masked keys for uri module are exposed into content and json output

Source: CONFIRM
Type: Issue Tracking, Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330

Source: XF
Type: UNKNOWN
ansible-cve202014330-info-disc(188183)

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://github.com/ansible/ansible/issues/68400

Source: CCN
Type: ansible GIT Repository
Sanitize URI module keys with no_log values #70762

Source: DEBIAN
Type: Third Party Advisory
DSA-4950

Source: CCN
Type: IBM Security Bulletin 6614909 (Spectrum Discover)
IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Vulnerable Configuration:

Configuration 1:

cpe:/a:redhat:ansible_engine:*:*:*:*:*:*:*:* (Version < 2.9.12)

Configuration 2:

cpe:/o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:202014330	V	CVE-2020-14330	2022-06-30
oval:org.opensuse.security:def:111931	P	ansible-2.9.24-1.2 on GA media (Moderate)	2022-01-17
oval:org.opensuse.security:def:34051	P	Security update for MozillaFirefox (Important) (in QA)	2022-01-14
oval:org.opensuse.security:def:34052	P	Security update for net-snmp (Important)	2022-01-05
oval:org.opensuse.security:def:34012	P	Security update for bcm43xx-firmware (Important)	2021-12-13
oval:org.opensuse.security:def:34013	P	Security update for glib-networking (Important)	2021-12-13
oval:org.opensuse.security:def:33748	P	Security update for clamav (Moderate)	2021-12-01
oval:org.opensuse.security:def:33749	P	Security update for webkit2gtk3 (Important)	2021-12-01
oval:org.opensuse.security:def:105499	P	ansible-2.9.24-1.2 on GA media (Moderate)	2021-10-01
oval:org.opensuse.security:def:33964	P	Security update for unrar (Moderate)	2021-08-25
oval:org.opensuse.security:def:60340	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:33963	P	Security update for openssl-1_1 (Important)	2021-08-24
oval:org.opensuse.security:def:33660	P	Security update for polkit (Important)	2021-06-03
oval:org.opensuse.security:def:33906	P	Security update for python3 (Important)	2021-05-17
oval:org.opensuse.security:def:33905	P	Security update for the Linux Kernel (Important)	2021-05-13
oval:org.opensuse.security:def:30072	P	Security update for bind (Important)	2021-05-04
oval:org.opensuse.security:def:30071	P	Security update for cups (Important)	2021-04-30
oval:org.opensuse.security:def:29352	P	Security update for libnettle (Important)	2021-04-28
oval:org.opensuse.security:def:29483	P	Security update for git (Important)	2021-03-09
oval:org.opensuse.security:def:59856	P	Security update for python-cryptography (Important)	2021-03-02
oval:org.opensuse.security:def:60456	P	Security update for tomcat (Moderate)	2021-02-19
oval:org.opensuse.security:def:30028	P	Security update for krb5-appl (Important)	2021-02-19
oval:org.opensuse.security:def:30027	P	Security update for java-1_7_1-ibm (Important)	2021-02-18
oval:org.opensuse.security:def:60300	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:30008	P	Security update for postgresql, postgresql12, postgresql13 (Important)	2021-01-26
oval:org.opensuse.security:def:30009	P	Security update for openssh (Moderate)	2021-01-05
oval:org.opensuse.security:def:61058	P	Security update for openexr (Moderate)	2020-12-23
oval:org.opensuse.security:def:60041	P	Security update for bash (Important)	2020-12-01
oval:org.opensuse.security:def:60899	P	Security update for mariadb (Moderate)	2020-12-01
oval:org.opensuse.security:def:60552	P	sysvinit-tools on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60978	P	Security update for java-1_8_0-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:60761	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:29713	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:34077	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:29570	P	Security update for SuSEfirewall2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:33280	P	virt-utils on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:29970	P	Security update for libraptor	2020-12-01
oval:org.opensuse.security:def:34799	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:29920	P	Security update for libevent (Moderate)	2020-12-01
oval:org.opensuse.security:def:34758	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:33372	P	Security update for IBM Java 1.4.2	2020-12-01
oval:org.opensuse.security:def:60815	P	Security update for python3 (Moderate)	2020-12-01
oval:org.opensuse.security:def:29269	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:30746	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:61028	P	Security update for java-1_8_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:60672	P	Security update for python-PyKMIP (Moderate)	2020-12-01
oval:org.opensuse.security:def:33603	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:29281	P	Security update for xorg-x11-libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:60790	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-12-01
oval:org.opensuse.security:def:29921	P	Security update for libexif	2020-12-01
oval:org.opensuse.security:def:34759	P	Security update for MozillaFirefox (Moderate)	2020-12-01
oval:org.opensuse.security:def:29865	P	Security update for the Linux Kernel (Moderate)	2020-12-01
oval:org.opensuse.security:def:34120	P	Security update for ncurses (Moderate)	2020-12-01
oval:org.opensuse.security:def:60111	P	Security update for the Linux Kernel (Live Patch 30 for SLE 12 SP2) (Important)	2020-12-01
oval:org.opensuse.security:def:33279	P	vino on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60718	P	Security update for python3-requests (Moderate)	2020-12-01
oval:org.opensuse.security:def:30747	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:30709	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:60937	P	Security update for galera-3, mariadb, mariadb-connector-c (Important)	2020-12-01
oval:org.opensuse.security:def:29627	P	Security update for bzip2 (Important)	2020-12-01
oval:org.opensuse.security:def:60634	P	Security update for openssl (Moderate)	2020-12-01
oval:org.opensuse.security:def:33291	P	xinetd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:60711	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:29866	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:34121	P	Security update for ncurses (Moderate)	2020-12-01
oval:org.opensuse.security:def:29712	P	Security update for Mozilla Firefox	2020-12-01
oval:org.opensuse.security:def:34076	P	Security update for libxslt	2020-12-01
oval:org.opensuse.security:def:33507	P	Security update for OpenSSL	2020-12-01
oval:org.opensuse.security:def:29270	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:29969	P	Security update for pulseaudio	2020-12-01
oval:org.opensuse.security:def:34798	P	Security update for ansible (Moderate)	2020-12-01
oval:org.opensuse.security:def:60600	P	Security update for postgresql10 (Important)	2020-12-01
oval:org.opensuse.security:def:30710	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:84056	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-11-12
oval:org.opensuse.security:def:84511	P	Security update for ansible, ardana-ansible, ardana-cinder, ardana-glance, ardana-mq, ardana-nova, ardana-osconfig, crowbar-core, crowbar-openstack, documentation-suse-openstack-cloud, grafana, grafana-natel-discrete-panel, openstack-cinder, openstack-monasca-installer, openstack-neutron, openstack-nova, python-Django, python-Flask-Cors, python-Pillow, python-ardana-packager, python-keystoneclient, python-keystonemiddleware, python-kombu, python-straight-plugin, python-urllib3, release-notes-suse-openstack-cloud, storm, storm-kit, venv-openstack-cinder, venv-openstack-swift (Important)	2020-11-12

BACK