High severityNVD Advisory· Published Nov 25, 2019· Updated Aug 4, 2024

CVE-2019-10217

Description

A flaw was found in ansible 2.8.0 before 2.8.4. Fields managing sensitive data should be set as such by no_log feature. Some of these fields in GCP modules are not set properly. service_account_contents() which is common class for all gcp modules is not setting no_log to True. Any sensitive data managed by that function would be leak as an output when running ansible playbooks.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
ansiblePyPI	>= 2.8.0a1, < 2.8.4	2.8.4

Affected products

Red Hat/Ansiblev5
Range: ansible 2.8.0 before 2.8.4

Patches

c1ee1f142db1

gcp_utils: Handle JSON decode exception (#59427)

https://github.com/ansible/ansibleAbhijeet KasurdeJul 26, 2019via ghsa

commit

1 file changed · +7 −2

lib/ansible/module_utils/gcp_utils.py+7 −2 modified

@@ -18,7 +18,7 @@
 
 from ansible.module_utils.basic import AnsibleModule, env_fallback
 from ansible.module_utils.six import string_types
-from ansible.module_utils._text import to_text
+from ansible.module_utils._text import to_text, to_native
 import ast
 import os
 import json
@@ -156,7 +156,12 @@ def _credentials(self):
             path = os.path.realpath(os.path.expanduser(self.module.params['service_account_file']))
             return service_account.Credentials.from_service_account_file(path).with_scopes(self.module.params['scopes'])
         elif cred_type == 'serviceaccount' and self.module.params.get('service_account_contents'):
-            cred = json.loads(self.module.params.get('service_account_contents'))
+            try:
+                cred = json.loads(self.module.params.get('service_account_contents'))
+            except json.decoder.JSONDecodeError as e:
+                self.module.fail_json(
+                    msg="Unable to decode service_account_contents as JSON : %s" % to_native(e)
+                )
             return service_account.Credentials.from_service_account_info(cred).with_scopes(self.module.params['scopes'])
         elif cred_type == 'machineaccount':
             return google.auth.compute_engine.Credentials(

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

lists.opensuse.org/opensuse-security-announce/2020-04/msg00021.htmlghsavendor-advisoryx_refsource_SUSEWEB
lists.opensuse.org/opensuse-security-announce/2020-04/msg00026.htmlghsavendor-advisoryx_refsource_SUSEWEB
github.com/advisories/GHSA-p75j-wc34-527cghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2019-10217ghsaADVISORY
bugzilla.redhat.com/show_bug.cgighsax_refsource_CONFIRMWEB
github.com/ansible/ansible/commit/c1ee1f142db1e669b710a65147ea32be47a91519ghsaWEB
github.com/ansible/ansible/issues/56269ghsax_refsource_CONFIRMWEB
github.com/ansible/ansible/pull/59427ghsax_refsource_CONFIRMWEB
github.com/pypa/advisory-database/tree/main/vulns/ansible/PYSEC-2019-3.yamlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000