CVE-2018-12557
Description
In Zuul 3.x before 3.1.0, the no_log attribute on a task is ignored when nodes go offline during a build, potentially leaking credentials or secrets.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
In Zuul 3.x before 3.1.0, the no_log attribute on a task is ignored when nodes go offline during a build, potentially leaking credentials or secrets.
Vulnerability
In Zuul 3.x prior to version 3.1.0, when nodes become offline during a build, the no_log attribute of a task is ignored. If the unreachable error occurs in a task that uses a loop variable (e.g., with_items), the contents of the loop items are printed in the console. This exposes sensitive data that should have been suppressed by the no_log directive [1].
Exploitation
An attacker does not need special privileges beyond the ability to trigger a build that involves tasks using loop variables and the no_log attribute. The exploit requires that at least one node becomes unreachable during the build execution. When the unreachable error is raised, the loop variable is leaked into the console output. The attacker can view this output if they have access to build logs [1].
Impact
Successful exploitation leads to information disclosure of credentials or secrets that were intended to be hidden by the no_log attribute. This compromises the confidentiality of sensitive data used in the build pipeline [1].
Mitigation
Upgrade to Zuul version 3.1.0 or later, which fixes the issue by properly respecting the no_log attribute even when nodes go offline [1][2]. As of the publication date (2018-06-19), no workaround other than the upgrade is available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2>=3.0,<3.1.0+ 1 more
- (no CPE)range: >=3.0,<3.1.0
- (no CPE)range: >=3.0.0, <3.1.0
Package: https://pypi.org/project/zuul
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3- lists.zuul-ci.org/pipermail/zuul-announce/2018-June/000015.htmlmitrex_refsource_MISC
- git.zuul-ci.org/cgit/zuul/commit/mitrex_refsource_MISC
- storyboard.openstack.orgmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.