CVE-2020-14330
MEDIUM5.5EPSS 0.22%Improper Output Neutralization and Improper Encoding or Escaping of Output for Logs in ansible
發布日:2022/2/9修改日:2026/4/28
描述
An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.
受影響套件(5)
- Alpine/ansiblefrom 0, < 2.8.15-r0
- Alpine/ansible-basefrom 0, < 2.9.13-r0
- Debian/ansiblefrom 0, < 2.9.13+dfsg-1
- PyPI/ansiblefrom 0, < 2.10.0
- PyPI/ansiblefrom 0, < 2.10.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(11)
- ADVISORYhttps://github.com/advisories/GHSA-785x-qw4v-6872
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2020-14330
- ADVISORYhttps://security.alpinelinux.org/vuln/CVE-2020-14330
- ADVISORYhttps://security-tracker.debian.org/tracker/CVE-2020-14330
- PATCHhttps://github.com/ansible/ansible
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330
- WEBhttps://github.com/ansible/ansible/commit/e0f25a2b1f9e6c21f751ba0ed2dc2eee2152983e
- WEBhttps://github.com/ansible/ansible/issues/68400
- WEBhttps://github.com/ansible/ansible/pull/69653
- WEBhttps://github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2020-3.yaml
- WEBhttps://www.debian.org/security/2021/dsa-4950