VYPR
← All advisories
High severityNVD Advisory· Published Jan 3, 2019· Updated Aug 5, 2024

CVE-2018-16876

CVE-2018-16876

Description

ansible before versions 2.5.14, 2.6.11, 2.7.5 is vulnerable to a information disclosure flaw in vvv+ mode with no_log on that can lead to leakage of sensible data.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
ansiblePyPI
< 2.5.142.5.14
ansiblePyPI
>= 2.6.0a1, < 2.6.112.6.11
ansiblePyPI
>= 2.7.0a1, < 2.7.52.7.5

Affected products

1

Patches

3
e0a81d133ffc

ensure ssh retry respects no log (#49569) (#49726)

https://github.com/ansible/ansibleBrian CocaDec 10, 2018via ghsa
commit
2 files changed · +15 4
  • changelogs/fragments/avoid_ssh_retry_discolsures.yml+2 0 added
    @@ -0,0 +1,2 @@
+bugfixes:
+    - now no log is being respected on retry and high verbosity. CVE-2018-16876
  • lib/ansible/plugins/connection/ssh.py+13 4 modified
    @@ -256,19 +256,28 @@ def wrapped(self, *args, **kwargs):
             try:
                 try:
                     return_tuple = func(self, *args, **kwargs)
-                    display.vvv(return_tuple, host=self.host)
+                    if self._play_context.no_log:
+                        display.vvv('rc=%s, stdout & stderr censored due to no log' % return_tuple[0], host=self.host)
+                    else:
+                        display.vvv(return_tuple, host=self.host)
                     # 0 = success
                     # 1-254 = remote command return code
-                    # 255 = failure from the ssh command itself
-                except (AnsibleControlPersistBrokenPipeError) as e:
+                    # 255 could be a failure from the ssh command itself
+                except (AnsibleControlPersistBrokenPipeError):
                     # Retry one more time because of the ControlPersist broken pipe (see #16731)
                     display.vvv(u"RETRYING BECAUSE OF CONTROLPERSIST BROKEN PIPE")
                     return_tuple = func(self, *args, **kwargs)
 
                 if return_tuple[0] != 255:
                     break
                 else:
-                    raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s" % to_native(return_tuple[2]))
+                    msg = "Failed to connect to the host via ssh: "
+                    if self._play_context.no_log:
+                        msg += '<error censored due to no log>'
+                    else:
+                        msg += to_native(return_tuple[2])
+                    raise AnsibleConnectionFailure(msg)
+
             except (AnsibleConnectionFailure, Exception) as e:
                 if attempt == remaining_tries - 1:
                     raise
424c68f15ad9

ensure ssh retry respects no log (#49569) (#49725)

https://github.com/ansible/ansibleBrian CocaDec 10, 2018via ghsa
commit
2 files changed · +15 4
  • changelogs/fragments/avoid_ssh_retry_discolsures.yml+2 0 added
    @@ -0,0 +1,2 @@
+bugfixes:
+    - now no log is being respected on retry and high verbosity.  CVE-2018-16876
  • lib/ansible/plugins/connection/ssh.py+13 4 modified
    @@ -273,11 +273,14 @@ def wrapped(self, *args, **kwargs):
             try:
                 try:
                     return_tuple = func(self, *args, **kwargs)
-                    display.vvv(return_tuple, host=self.host)
+                    if self._play_context.no_log:
+                        display.vvv('rc=%s, stdout & stderr censored due to no log' % return_tuple[0], host=self.host)
+                    else:
+                        display.vvv(return_tuple, host=self.host)
                     # 0 = success
                     # 1-254 = remote command return code
-                    # 255 = failure from the ssh command itself
-                except (AnsibleControlPersistBrokenPipeError) as e:
+                    # 255 could be a failure from the ssh command itself
+                except (AnsibleControlPersistBrokenPipeError):
                     # Retry one more time because of the ControlPersist broken pipe (see #16731)
                     cmd = args[0]
                     if self._play_context.password and isinstance(cmd, list):
@@ -290,7 +293,13 @@ def wrapped(self, *args, **kwargs):
                 if return_tuple[0] != 255:
                     break
                 else:
-                    raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s" % to_native(return_tuple[2]))
+                    msg = "Failed to connect to the host via ssh: "
+                    if self._play_context.no_log:
+                        msg += '<error censored due to no log>'
+                    else:
+                        msg += to_native(return_tuple[2])
+                    raise AnsibleConnectionFailure(msg)
+
             except (AnsibleConnectionFailure, Exception) as e:
                 if attempt == remaining_tries - 1:
                     raise
0954942dfdc5

ensure ssh retry respects no log (#49569) (#49724)

https://github.com/ansible/ansibleBrian CocaDec 10, 2018via ghsa
commit
2 files changed · +13 4
  • changelogs/fragments/avoid_ssh_retry_discolsures.yml+2 0 added
    @@ -0,0 +1,2 @@
+bugfixes:
+    - Respect no_log on retry and high verbosity (CVE-2018-16876)
  • lib/ansible/plugins/connection/ssh.py+11 4 modified
    @@ -335,11 +335,14 @@ def wrapped(self, *args, **kwargs):
             try:
                 try:
                     return_tuple = func(self, *args, **kwargs)
-                    display.vvv(return_tuple, host=self.host)
+                    if self._play_context.no_log:
+                        display.vvv('rc=%s, stdout & stderr censored due to no log' % return_tuple[0], host=self.host)
+                    else:
+                        display.vvv(return_tuple, host=self.host)
                     # 0 = success
                     # 1-254 = remote command return code
                     # 255 could be a failure from the ssh command itself
-                except (AnsibleControlPersistBrokenPipeError) as e:
+                except (AnsibleControlPersistBrokenPipeError):
                     # Retry one more time because of the ControlPersist broken pipe (see #16731)
                     cmd = args[0]
                     if self._play_context.password and isinstance(cmd, list):
@@ -357,8 +360,12 @@ def wrapped(self, *args, **kwargs):
                             break
 
                     if SSH_ERROR:
-                        raise AnsibleConnectionFailure("Failed to connect to the host via ssh: %s"
-                                                       % to_native(return_tuple[2]))
+                        msg = "Failed to connect to the host via ssh: "
+                        if self._play_context.no_log:
+                            msg += '<error censored due to no log>'
+                        else:
+                            msg += to_native(return_tuple[2])
+                        raise AnsibleConnectionFailure(msg)
 
                 break

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

23

News mentions

0

No linked articles in our index yet.