CVE-2019-10206

Aliases:GHSA-cqmr-rcpr-cxh3PYSEC-2019-145

Advisory lineage Upstream: 0 Downstream: 22

Downstream

ALPINE-CVE-2019-10206 DEBIAN-CVE-2019-10206 DLA-3695-1 DSA-4950-1 MGASA-2019-0309 OPENSUSE-SU-2020:0513-1

Modified

Published: 22 Nov 2019, 00:00

Last modified:04 Aug 2024, 22:17

Vulnerability Summary

Overall Risk (default)

medium

26/100

CVSS Score

6.5 MEDIUM

v3.1 (nvd)

EPSS Score

0.32% LOW

0% probability +0.09%

KEV

Not listed

Ransomware

No reports

Public exploits

None found

Dark Web

Not detected

Timeline

22 Nov 2019, 00:00

Published

Vulnerability first disclosed

04 Aug 2024, 22:17

Last Modified

Vulnerability information updated

Description

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

CVSS Metrics

v4.0•HIGH•Score: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
v3.1•MEDIUM•Score: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
v3.0•MEDIUM•Score: 6.4CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N
v2.0•MEDIUM•Score: 4AV:N/AC:L/Au:S/C:P/I:N/A:N

EPSS Trends

Current EPSS score: 0.32%• Percentile: 55%

Techniques & Countermeasures

CWE-522•Insufficiently Protected Credentials
The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

Affected Systems

debian•debian_linux
10.0
opensuse•backports_sle
15.0:sp1
opensuse•leap
15.1
PyPI•ansible
≥ 2.7.0, < 2.7.13 | ≥ 2.6.0, < 2.6.19 | ≥ 2.8.0, < 2.8.4
red hat•ansible
all 2.8.x before 2.8.4 | all 2.7.x before 2.7.13 | all 2.6.x before 2.6.19
redhat•ansible
≥ 2.6.0, < 2.6.19 | ≥ 2.7.0, < 2.7.13 | ≥ 2.8.0, < 2.8.4