CVE-2020-14330 in Red Hat and Debian Products
Published on September 11, 2020

An Improper Output Neutralization for Logs flaw was found in Ansible when using the uri module, where sensitive data is exposed to content and json output. This flaw allows an attacker to access the logs or outputs of performed tasks to read keys used in playbooks from other users within the uri module. The highest threat from this vulnerability is to data confidentiality.

Vendor Advisory NVD

Vulnerability Analysis

CVE-2020-14330 is exploitable with local system access, requires user interaction and a small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality, with no impact on integrity and availability.

Attack Vector:

LOCAL

Attack Complexity:

LOW

Privileges Required:

LOW

User Interaction:

REQUIRED

Scope:

UNCHANGED

Confidentiality Impact:

HIGH

Integrity Impact:

NONE

Availability Impact:

NONE

Weakness Type

Insertion of Sensitive Information into Log File

Information written to log files can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.

Products Associated with CVE-2020-14330

stack.watch emails you whenever new vulnerabilities are published in Red Hat Ansible Engine or Debian Linux. Just hit a watch button to start following.

Red Hat Ansible Engine

Debian Linux

Affected Versions

Red Hat Ansible Version 2.10.0 is affected by CVE-2020-14330

Exploit Probability

EPSS

0.13%

Percentile

32.72%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.