Memory leak in Ansible

#VU85621 Memory leak in Ansible

Cybersecurity Help s.r.o.

Published: 2024-01-19

Vulnerability identifier: #VU85621

Vulnerability risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2024-0690

CWE-ID: CWE-401

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Ansible
Server applications / Remote management servers, RDP, SSH

Vendor: Red Hat Inc.

Description
The vulnerability allows a local user to gain access to sensitive information.

The vulnerability exists due memory leak caused by a failure to respect the ANSIBLE_NO_LOG configuration in some scenarios. A local user can gain access to potentially sensitive information.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Ansible: 2.16.0 - 2.16.2, 2.15.0 - 2.15.8, 2.14.0 - 2.14.13

External links
http://bugzilla.redhat.com/show_bug.cgi?id=2259013

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Memory leak in IBM Maximo Application Suite

Amazon Linux AMI update for ansible-core

Red Hat Enterprise Linux 8 update for ansible-core

Multiple vulnerabilities in IBM Db2 on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data

SUSE update for SUSE Manager Client Tools

SUSE update for Security Beta update for SUSE Manager Client Tools and Salt

Red Hat Enterprise Linux 9 update for ansible-core

openEuler update for ansible

Multiple vulnerabilities in Red Hat Ansible Automation Platform 2.4 for RHEL 9

Fedora 38 update for ansible-core