{"containers": {"cna": {"affected": [{"product": "ansible", "vendor": "Red Hat, Inc.", "versions": [{"status": "affected", "version": "2.3.x before 2.3.3, 2.4.x before 2.4.1"}]}], "datePublic": "2017-07-21T00:00:00", "descriptions": [{"lang": "en", "value": "A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-532", "description": "CWE-532", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2017-12-06T10:57:01", "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat"}, "references": [{"tags": ["x_refsource_CONFIRM"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473645"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://github.com/ansible/ansible/issues/30874"}, {"name": "RHSA-2017:2966", "tags": ["vendor-advisory", "x_refsource_REDHAT"], "url": "https://access.redhat.com/errata/RHSA-2017:2966"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T16:04:12.039Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473645"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://github.com/ansible/ansible/issues/30874"}, {"name": "RHSA-2017:2966", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"], "url": "https://access.redhat.com/errata/RHSA-2017:2966"}]}]}, "cveMetadata": {"assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "cveId": "CVE-2017-7550", "dateReserved": "2017-04-05T00:00:00", "dateUpdated": "2024-08-05T16:04:12.039Z", "state": "PUBLISHED", "datePublished": "2017-11-21T17:00:00Z"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "97808ABA-37DE-4764-93C7-C005BFEFFEA9", "versionEndExcluding": "2.3.3", "versionStartIncluding": "2.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:ansible:*:*:*:*:*:*:*:*", "matchCriteriaId": "32FE5F5F-9A2F-43B8-B50B-57709B4F3DD4", "versionEndExcluding": "2.4.1", "versionStartIncluding": "2.4.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "matchCriteriaId": "51EF4996-72F4-4FA4-814F-F5991E7A8318", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation."}, {"lang": "es", "value": "Se encontr\u00f3 un fallo en la manera en la que Ansible (en versiones 2.3.x anteriores a la 2.3.3 y versiones 2.4.x anteriores a la 2.4.1) pasaba algunos par\u00e1metros al m\u00f3dulo jenkins_plugin. Los atacantes remotos podr\u00edan utilizar este fallo para exponer informaci\u00f3n sensible de los logs de un host remoto. Este fallo se solucion\u00f3 no permitiendo que se especifiquen las contrase\u00f1as en el argumento \"params\" y anotando esto en la documentaci\u00f3n del m\u00f3dulo."}], "id": "CVE-2017-7550", "lastModified": "2024-11-21T03:32:08.837", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-11-21T17:29:00.210", "references": [{"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2966"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473645"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/issues/30874"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2017:2966"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473645"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://github.com/ansible/ansible/issues/30874"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-532"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-532"}], "source": "nvd@nist.gov", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank Stefano Mazzucco (Kirontech) for reporting this issue.", "affected_release": [{"advisory": "RHSA-2017:2966", "cpe": "cpe:/a:redhat:rhel_extras_other:7", "package": "ansible-0:2.4.0.0-5.el7", "product_name": "Red Hat Enterprise Linux 7 Extras", "release_date": "2017-10-19T00:00:00Z"}], "bugzilla": {"description": "ansible: jenkins_plugin module exposes passwords in remote host logs", "id": "1473645", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1473645"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.5", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-532", "details": ["A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation.", "A flaw was found in the way Ansible passed certain parameters to the jenkins_plugin module. A remote attacker could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the \"params\" argument, and noting this in the module documentation."], "name": "CVE-2017-7550", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3", "fix_state": "Not affected", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat OpenShift Enterprise 3"}, {"cpe": "cpe:/a:redhat:openstack:10", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 10 (Newton)"}, {"cpe": "cpe:/a:redhat:openstack:11", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 11 (Ocata)"}, {"cpe": "cpe:/a:redhat:openstack:12", "fix_state": "Will not fix", "package_name": "ansible", "product_name": "Red Hat OpenStack Platform 12 (Pike)"}, {"cpe": "cpe:/a:redhat:qci:1.0::el7", "fix_state": "Under investigation", "package_name": "ansible", "product_name": "Red Hat Quickstart Cloud Installer 1"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Will not fix", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Storage 3"}, {"cpe": "cpe:/a:redhat:rhscon:2", "fix_state": "Will not fix", "impact": "moderate", "package_name": "ansible", "product_name": "Red Hat Storage Console 2"}], "public_date": "2017-09-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2017-7550\nhttps://nvd.nist.gov/vuln/detail/CVE-2017-7550"], "statement": "Red Hat OpenStack Platform will no longer be updating the Ansible package in: \n* Red Hat OpenStack Platform 10 (Newton)\n* Red Hat OpenStack Platform 11 (Ocata)\nAs of Red Hat Enterprise Linux 7.4, customers can consume an updated Ansible package directly from the extras-rhel-7.4 channel. For more information, refer to Red Hat Enterprise Linux release information.", "threat_severity": "Moderate"}