#VU47114 Input validation error - CVE-2020-14330

Cybersecurity Help s.r.o.

Published: 2020-09-11 | Updated: 2020-09-26

Vulnerability identifier: #VU47114

Vulnerability risk: Low

CVSSv4.0: 4.3 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2020-14330

CWE-ID: CWE-20

Exploitation vector: Local

Exploit availability: No

Description

The vulnerability allows a local authenticated user to gain access to sensitive information.

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Mitigation
Install update from vendor's website.

External links
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-14330
https://github.com/ansible/ansible/issues/68400

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

SUSE update for SUSE Manager Client Tools

Multiple vulnerabilities in IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data

Multiple vulnerabilities in Dell EMC Data Computing Appliance (DCA)

Debian update for ansible

Input validation error in ansible-base (Alpine package)

Input validation error in ansible (Alpine package)