CVE-2020-14332

A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality.

CVSS v3 5.5 MEDIUM
CVSS v2.0 2.1 LOW

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

2.1^/10

CVSS v2.0 : LOW

Vector : AV:L/AC:L/Au:N/C:P/I:N/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact NONE

Availability Impact NONE

References

Link	Resource
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332	Issue Tracking Vendor Advisory
https://github.com/ansible/ansible/pull/71033	Patch Third Party Advisory
https://www.debian.org/security/2021/dsa-4950	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:redhat:ansible_engine::::::::
	cpe:2.3:a:redhat:ansible_engine::::::::

Configuration 2 (hide)

cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

History

05 Apr 2022, 15:28

Type	Values Removed	Values Added
References		(DEBIAN) https://www.debian.org/security/2021/dsa-4950 - Third Party Advisory
References	~~(MISC) https://github.com/ansible/ansible/pull/71033 - Third Party Advisory~~	(MISC) https://github.com/ansible/ansible/pull/71033 - Patch, Third Party Advisory
CPE		cpe:2.3:o:debian:debian_linux:10.0:::::::*
First Time		Debian Debian debian Linux
CWE	~~CWE-532~~	CWE-117

Information

Published : 2020-09-11 18:15

Updated : 2023-12-10 13:27

NVD link : CVE-2020-14332

Mitre link : CVE-2020-14332

CVE.ORG link : CVE-2020-14332

JSON object : View

Products Affected

debian

debian_linux

redhat

ansible_engine

CWE

CWE-117

Improper Output Neutralization for Logs

CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2020-14332", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:P/I:N/A:N", "authentication": "NONE", "integrityImpact": "NONE", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "secalert@redhat.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2020-09-11T18:15:13.303", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14332", "tags": ["Issue Tracking", "Vendor Advisory"], "source": "secalert@redhat.com"}, {"url": "https://github.com/ansible/ansible/pull/71033", "tags": ["Patch", "Third Party Advisory"], "source": "secalert@redhat.com"}, {"url": "https://www.debian.org/security/2021/dsa-4950", "tags": ["Third Party Advisory"], "source": "secalert@redhat.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "secalert@redhat.com", "description": [{"lang": "en", "value": "CWE-117"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the Ansible Engine when using module_args. Tasks executed with check mode (--check-mode) do not properly neutralize sensitive data exposed in the event data. This flaw allows unauthorized users to read this data. The highest threat from this vulnerability is to confidentiality."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en Ansible Engine al usar module_args. Las tareas ejecutadas con el modo de verificaci\u00f3n (--check-mode) no neutralizan apropiadamente los datos confidenciales expuestos en los datos del evento. Este fallo permite a usuarios no autorizados leer estos datos. La mayor amenaza de esta vulnerabilidad es la confidencialidad"}], "lastModified": "2023-11-07T03:17:09.070", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DED70659-F9F7-4B00-B91D-7FA5F4A6D8F7", "versionEndExcluding": "2.8.14", "versionStartIncluding": "2.8.0"}, {"criteria": "cpe:2.3:a:redhat:ansible_engine:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F214846C-DD19-4EB0-8402-77F122989C35", "versionEndExcluding": "2.9.12", "versionStartIncluding": "2.9.0"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73"}], "operator": "OR"}]}], "sourceIdentifier": "secalert@redhat.com"}