PyPI: ansible-core
CVE-2024-8775
Safety vulnerability ID: SFTY-20240914-56637
Safety legacy ID: pyup.io-73302
A security vulnerability affects Ansible, impacting the handling of sensitive information stored in Ansible Vault files. The vulnerability occurs during playbook execution when using tasks like include_vars to load vaulted variables without setting the no_log: true parameter. This flaw causes sensitive data, including passwords and API keys, to be exposed in plaintext within playbook outputs or logs. Attackers who gain access to these outputs could potentially acquire secrets, leading to unauthorized access or actions on affected systems. Users must immediately review and update their Ansible playbooks to ensure proper use of the no_log: true parameter when handling vaulted variables. Additionally, users should audit recent playbook outputs and logs for potential secret exposure.
Overview
Ansible vulnerable to Insertion of Sensitive Information into Log File
Advisory
A security vulnerability affects Ansible, impacting the handling of sensitive information stored in Ansible Vault files. The vulnerability occurs during playbook execution when using tasks like include_vars to load vaulted variables without setting the no_log: true parameter. This flaw causes sensitive data, including passwords and API keys, to be exposed in plaintext within playbook outputs or logs. Attackers who gain access to these outputs could potentially acquire secrets, leading to unauthorized access or actions on affected systems. Users must immediately review and update their Ansible playbooks to ensure proper use of the no_log: true parameter when handling vaulted variables. Additionally, users should audit recent playbook outputs and logs for potential secret exposure.
How to Fix
Mitigation and Workarounds
---
Vulnerable Functions
Functions linked to known vulnerabilities.
References
- https://getsafety.com/vulnerabilities/SFTY-20240914-56637/CVE-2024-8775
- https://access.redhat.com/security/cve/CVE-2024-8775
- https://bugzilla.redhat.com/show_bug.cgi?id=2312119
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8775
- https://github.com/advisories/GHSA-jpxc-vmjf-9fcj
- https://github.com/ansible/ansible/commit/c9ac477e53a99e95781f333eec3329a935c1bf95
- https://nvd.nist.gov/vuln/detail/CVE-2024-8775
- https://access.redhat.com/security/cve/CVE-2024-8775
- https://bugzilla.redhat.com/show_bug.cgi?id=2312119
- https://access.redhat.com/errata/RHSA-2024:8969
- https://access.redhat.com/errata/RHSA-2024:9894
- https://access.redhat.com/errata/RHSA-2024:10762
- https://access.redhat.com/errata/RHSA-2025:1249
- https://github.com/advisories/GHSA-jpxc-vmjf-9fcj
- https://github.com/ansible/ansible/commit/8a87e1c5d37422bc99d27ad4237d185cc233e035
- https://github.com/ansible/ansible/blob/v2.16.13/changelogs/CHANGELOG-v2.16.rst#security-fixes
- https://github.com/ansible/ansible/blob/v2.17.6/changelogs/CHANGELOG-v2.17.rst#security-fixes
- https://lists.debian.org/debian-lts-announce/2024/11/msg00021.html
Verified by Safety
Our Cybersecurity Intelligence Team reviewed this vulnerability. We combine public data with our own research to find issues not yet reported to public sources.
Learn more