High severityNVD Advisory· Published Nov 22, 2019· Updated Aug 4, 2024

CVE-2019-10206

Description

ansible-playbook -k and ansible cli tools, all versions 2.8.x before 2.8.4, all 2.7.x before 2.7.13 and all 2.6.x before 2.6.19, prompt passwords by expanding them from templates as they could contain special characters. Passwords should be wrapped to prevent templates trigger and exposing them.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ansiblePyPI	>= 2.8.0, < 2.8.4	2.8.4
ansiblePyPI	>= 2.7.0, < 2.7.13	2.7.13
ansiblePyPI	>= 2.6.0, < 2.6.19	2.6.19

Affected products

Red Hat/Ansiblev5
Range: all 2.8.x before 2.8.4

Patches

d728127310b4

prevent templating of passwords from prompt (#59246) (#59553)

https://github.com/ansible/ansibleBrian CocaAug 13, 2019via ghsa

commit

3 files changed · +22 −3

changelogs/fragments/dont_template_passwords_from_prompt.yml+2 −0 added

@@ -0,0 +1,2 @@
+bugfixes:
+    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.

lib/ansible/cli/__init__.py+8 −0 modified

@@ -42,6 +42,7 @@
 from ansible.release import __version__
 from ansible.utils.path import unfrackpath
 from ansible.utils.vars import load_extra_vars, load_options_vars
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
 from ansible.vars.manager import VariableManager
 from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret
 
@@ -336,6 +337,13 @@ def ask_passwords(self):
         except EOFError:
             pass
 
+        # we 'wrap' the passwords to prevent templating as
+        # they can contain special chars and trigger it incorrectly
+        if sshpass:
+            sshpass = AnsibleUnsafeBytes(sshpass)
+        if becomepass:
+            becomepass = AnsibleUnsafeBytes(becomepass)
+
         return (sshpass, becomepass)
 
     def normalize_become_options(self):

lib/ansible/utils/unsafe_proxy.py+12 −3 modified

@@ -55,7 +55,7 @@
 
 from collections import Mapping, MutableSequence, Set
 
-from ansible.module_utils.six import string_types, text_type
+from ansible.module_utils.six import string_types, text_type, binary_type
 from ansible.module_utils._text import to_text
 
 
@@ -70,15 +70,24 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe):
     pass
 
 
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+    pass
+
+
 class UnsafeProxy(object):
     def __new__(cls, obj, *args, **kwargs):
+        if isinstance(obj, AnsibleUnsafe):
+            # Already marked unsafe
+            return obj
+
         # In our usage we should only receive unicode strings.
         # This conditional and conversion exists to sanity check the values
         # we're given but we may want to take it out for testing and sanitize
         # our input instead.
+        # Note that this does the wrong thing if we're *intentionall* passing a byte string to this
+        # function.
         if isinstance(obj, string_types):
-            obj = to_text(obj, errors='surrogate_or_strict')
-            return AnsibleUnsafeText(obj)
+            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
         return obj

4b5aed4e5af4

prevent templating of passwords from prompt (#59246) (#59554)

https://github.com/ansible/ansibleBrian CocaAug 13, 2019via ghsa

commit

3 files changed · +22 −3

changelogs/fragments/dont_template_passwords_from_prompt.yml+2 −0 added

@@ -0,0 +1,2 @@
+bugfixes:
+    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.

lib/ansible/cli/__init__.py+8 −0 modified

@@ -42,6 +42,7 @@
 from ansible.release import __version__
 from ansible.utils.path import unfrackpath
 from ansible.utils.vars import load_extra_vars, load_options_vars
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
 from ansible.vars.manager import VariableManager
 from ansible.parsing.vault import PromptVaultSecret, get_file_vault_secret
 
@@ -342,6 +343,13 @@ def ask_passwords(self):
         except EOFError:
             pass
 
+        # we 'wrap' the passwords to prevent templating as
+        # they can contain special chars and trigger it incorrectly
+        if sshpass:
+            sshpass = AnsibleUnsafeBytes(sshpass)
+        if becomepass:
+            becomepass = AnsibleUnsafeBytes(becomepass)
+
         return (sshpass, becomepass)
 
     def normalize_become_options(self):

lib/ansible/utils/unsafe_proxy.py+12 −3 modified

@@ -55,7 +55,7 @@
 
 from collections import Mapping, MutableSequence, Set
 
-from ansible.module_utils.six import string_types, text_type
+from ansible.module_utils.six import string_types, text_type, binary_type
 from ansible.module_utils._text import to_text
 
 
@@ -70,15 +70,24 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe):
     pass
 
 
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+    pass
+
+
 class UnsafeProxy(object):
     def __new__(cls, obj, *args, **kwargs):
+        if isinstance(obj, AnsibleUnsafe):
+            # Already marked unsafe
+            return obj
+
         # In our usage we should only receive unicode strings.
         # This conditional and conversion exists to sanity check the values
         # we're given but we may want to take it out for testing and sanitize
         # our input instead.
+        # Note that this does the wrong thing if we're *intentionall* passing a byte string to this
+        # function.
         if isinstance(obj, string_types):
-            obj = to_text(obj, errors='surrogate_or_strict')
-            return AnsibleUnsafeText(obj)
+            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
         return obj

d39488ece449

prevent templating of passwords from prompt (#59246)

https://github.com/ansible/ansibleBrian CocaJul 24, 2019via ghsa

commit

3 files changed · +17 −4

changelogs/fragments/dont_template_passwords_from_prompt.yml+2 −0 added

@@ -0,0 +1,2 @@
+bugfixes:
+    - resolves CVE-2019-10206, by avoiding templating passwords from prompt as it is probable they have special characters.

lib/ansible/cli/__init__.py+8 −0 modified

@@ -29,6 +29,7 @@
 from ansible.utils.collection_loader import set_collection_playbook_paths
 from ansible.utils.display import Display
 from ansible.utils.path import unfrackpath
+from ansible.utils.unsafe_proxy import AnsibleUnsafeBytes
 from ansible.vars.manager import VariableManager
 
 
@@ -276,6 +277,13 @@ def ask_passwords():
         except EOFError:
             pass
 
+        # we 'wrap' the passwords to prevent templating as
+        # they can contain special chars and trigger it incorrectly
+        if sshpass:
+            sshpass = AnsibleUnsafeBytes(sshpass)
+        if becomepass:
+            becomepass = AnsibleUnsafeBytes(becomepass)
+
         return (sshpass, becomepass)
 
     def validate_conflicts(self, op, vault_opts=False, runas_opts=False, fork_opts=False, vault_rekey_opts=False):

lib/ansible/utils/unsafe_proxy.py+7 −4 modified

@@ -53,7 +53,7 @@
 from __future__ import (absolute_import, division, print_function)
 __metaclass__ = type
 
-from ansible.module_utils.six import string_types, text_type
+from ansible.module_utils.six import string_types, text_type, binary_type
 from ansible.module_utils._text import to_text
 from ansible.module_utils.common._collections_compat import Mapping, MutableSequence, Set
 
@@ -69,15 +69,18 @@ class AnsibleUnsafeText(text_type, AnsibleUnsafe):
     pass
 
 
+class AnsibleUnsafeBytes(binary_type, AnsibleUnsafe):
+    pass
+
+
 class UnsafeProxy(object):
     def __new__(cls, obj, *args, **kwargs):
         # In our usage we should only receive unicode strings.
         # This conditional and conversion exists to sanity check the values
         # we're given but we may want to take it out for testing and sanitize
         # our input instead.
-        if isinstance(obj, string_types):
-            obj = to_text(obj, errors='surrogate_or_strict')
-            return AnsibleUnsafeText(obj)
+        if isinstance(obj, string_types) and not isinstance(obj, AnsibleUnsafeBytes):
+            obj = AnsibleUnsafeText(to_text(obj, errors='surrogate_or_strict'))
         return obj

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.htmlghsavendor-advisoryWEB
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.htmlghsavendor-advisoryWEB
github.com/advisories/GHSA-cqmr-rcpr-cxh3ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10206ghsaADVISORY
www.debian.org/security/2021/dsa-4950ghsavendor-advisoryWEB
bugzilla.redhat.com/show_bug.cgighsaWEB
github.com/ansible/ansible/commit/4b5aed4e5af4c7aab621662f50a289e99b8ac393ghsaWEB
github.com/ansible/ansible/commit/d39488ece44956f6a169a498b067bbef54552be1ghsaWEB
github.com/ansible/ansible/commit/d728127310b4f3a40ce8b9df3affb88ffaeea073ghsaWEB
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-145.yamlghsaWEB
lists.debian.org/debian-lts-announce/2023/12/msg00018.htmlghsamailing-listWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000