CVE-2019-10206

MEDIUM

Ansible <2.8.4, <2.7.13, <2.6.19 - Info Disclosure

Title source: llm

Description

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

References (5)

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.html

[Mailing List, Third Party Advisory] http://lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.html

[Issue Tracking, Vendor Advisory] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10206

[Third Party Advisory] https://www.debian.org/security/2021/dsa-4950

[Mailing List] https://lists.debian.org/debian-lts-announce/2023/12/msg00018.html

Scores

CVSS v3 6.5

EPSS 0.0022

EPSS Percentile 44.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (5)

redhat/ansible < 2.6.19

debian/debian_linux

opensuse/backports_sle

opensuse/leap

pypi/ansible < 2.8.4PyPI

Timeline

Published Nov 22, 2019

Tracked Since Feb 18, 2026