Critical severity9.8NVD Advisory· Published Nov 21, 2017· Updated May 13, 2026
CVE-2017-7550
CVE-2017-7550
Description
A flaw was found in the way Ansible (2.3.x before 2.3.3, and 2.4.x before 2.4.1) passed certain parameters to the jenkins_plugin module. Remote attackers could use this flaw to expose sensitive information from a remote host's logs. This flaw was fixed by not allowing passwords to be specified in the "params" argument, and noting this in the module documentation.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
ansiblePyPI | >= 2.4.0.0, < 2.4.1.0 | 2.4.1.0 |
ansiblePyPI | >= 2.3.0.0, < 2.3.3.0 | 2.3.3.0 |
Affected products
3- cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Patches
1facbf7f14da2Remove the params option from jenkns_plugin and yum_repository (#32708)
3 files changed · +16 −29
CHANGELOG.md+2 −0 modified@@ -29,6 +29,8 @@ Ansible Changes By Release * Added support to `become` `NT AUTHORITY\System`, `NT AUTHORITY\LocalService`, and `NT AUTHORITY\NetworkService` on Windows hosts * Fixed `become` to work with async on Windows hosts * Improved `become` elevation process to work on standard Administrator users without disabling UAC on Windows hosts +* The jenkins_plugin and yum_repository plugins had their `params` option + removed due to circumventing Ansible's option processing. ### New Plugins
lib/ansible/modules/packaging/os/yum_repository.py+7 −11 modified@@ -241,12 +241,6 @@ - Unique repository ID. - This parameter is only required if I(state) is set to C(present) or C(absent). - params: - required: false - default: null - description: - - Option used to allow the user to overwrite any of the other options. - To remove an option, set the value of the option to C(null). password: required: false default: null @@ -391,6 +385,8 @@ - The repo file will be automatically deleted if it contains no repository. - When removing a repository, beware that the metadata cache may still remain on disk until you run C(yum clean all). Use a notification handler for this. + - "The C(params) parameter was removed in Ansible 2.5 due to circumventing Ansible's parameter + handling" ''' EXAMPLES = ''' @@ -699,11 +695,11 @@ def main(): supports_check_mode=True, ) - # Update module parameters by user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - module.params.update(module.params['params']) - # Remove the params - module.params.pop('params', None) + # Params was removed + # https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html + if module.params['params']: + module.fail_json(msg="The params option to yum_repository was removed in Ansible 2.5" + "since it circumvents Ansible's option handling") name = module.params['name'] state = module.params['state']
lib/ansible/modules/web_infrastructure/jenkins_plugin.py+7 −18 modified@@ -46,14 +46,6 @@ default: jenkins description: - Name of the Jenkins user on the OS. - params: - required: false - default: null - description: - - Option used to allow the user to overwrite any of the other options. To - remove an option, set the value of the option to C(null). - - Changed in 2.5.0, 2.4.1, 2.3.3 to raise an error if C(url_password) is specified in params. - Use the actual C(url_password) argument instead. state: required: false choices: [absent, present, pinned, unpinned, enabled, disabled, latest] @@ -120,6 +112,8 @@ - It is not possible to run the module remotely by changing the I(url) parameter to point to the Jenkins server. The module must be used on the host where Jenkins runs as it needs direct access to the plugin files. + - "The C(params) option was removed in Ansible 2.5 due to circumventing Ansible's + option handling" ''' EXAMPLES = ''' @@ -762,16 +756,11 @@ def main(): supports_check_mode=True, ) - # Update module parameters by user's parameters if defined - if 'params' in module.params and isinstance(module.params['params'], dict): - if 'url_password' in module.params['params']: - # The params argument should be removed eventually. Until then, raise an error if - # url_password is specified there as it can lead to the password being logged - module.fail_json(msg='Do not specify url_password in params as it may get logged') - - module.params.update(module.params['params']) - # Remove the params - module.params.pop('params', None) + # Params was removed + # https://meetbot.fedoraproject.org/ansible-meeting/2017-09-28/ansible_dev_meeting.2017-09-28-15.00.log.html + if module.params['params']: + module.fail_json(msg="The params option to jenkins_plugin was removed in Ansible 2.5" + "since it circumvents Ansible's option handling") # Force basic authentication module.params['force_basic_auth'] = True
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- access.redhat.com/errata/RHSA-2017:2966nvdIssue TrackingThird Party AdvisoryWEB
- bugzilla.redhat.com/show_bug.cginvdIssue TrackingThird Party AdvisoryWEB
- github.com/advisories/GHSA-588w-w6mv-3cw5ghsaADVISORY
- github.com/ansible/ansible/issues/30874nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-7550ghsaADVISORY
- access.redhat.com/security/cve/CVE-2017-7550ghsaWEB
- github.com/ansible/ansible/commit/facbf7f14da29eea67ef68ab386fc15bd06d7c7fghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2017-4.yamlghsaWEB
News mentions
0No linked articles in our index yet.