CVE-2018-10855
ansible - security update
5.9
MEDIUM
CVSS 3.1
EPSS 3.0%
Description
Ansible 2.5 prior to 2.5.5, and 2.4 prior to 2.4.5, do not honor the no_log task flag for failed tasks. When the no_log flag has been used to protect sensitive data passed to a task from being logged, and that task does not run successfully, Ansible will expose sensitive data in log files and on the terminal of the user running Ansible.
How to fix CVE-2018-10855
To remediate CVE-2018-10855, upgrade the affected package to a fixed version below.
- —upgrade to 2.4.6.0-r0 or later
- —upgrade to 2.5.5+dfsg-1 or later
- —upgrade to 2.2.1.0-2+deb9u1 or later
- —upgrade to 2.5.5 or later
- —upgrade to 2.5.5 or later
Is CVE-2018-10855 being exploited?
Low — EPSS is 3.0%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0, < 2.4.6.0-r0
- from 0, < 2.5.5+dfsg-1
- from 0, < 2.2.1.0-2+deb9u1
- >= 2.5.0a1, < 2.5.5
- >= 2.5, < 2.5.5, >= 2.4, < 2.4.5.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N |
| osv | CVSS 3.1 | MEDIUM5.9 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |