CVE-2024-0690

Description

An information disclosure flaw was found in ansible-core due to a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. Information is still included in the output in certain tasks, such as loop items. Depending on the task, this issue may include sensitive information, such as decrypted secret values.

How to fix CVE-2024-0690

To remediate CVE-2024-0690, upgrade the affected package to a fixed version below.

• —upgrade to 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1 or later
• —upgrade to 2.14.16-0+deb12u1 or later
• —upgrade to 2.14.14 or later
• —upgrade to 2.16.3 or later

Is CVE-2024-0690 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 2.10.7+merged+base+2.10.17+dfsg-0+deb11u1
• from 0, < 2.14.16-0+deb12u1
• from 0, < 2.14.14
• >= 2.16.0, < 2.16.3, >= 2.15.0, < 2.15.9, from 0, < 2.14.4

CVSS scores

References (18)

• ADVISORYgithub.com/advisories/GHSA-h24r-m9qc-pvpg
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-0690
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-0690
• PATCHgithub.com/ansible/ansible
• WEB